Bump version to 0.10.5

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>

.gitlab-ci.yml

@@ -2,14 +2,16 @@
 variables:
   BUILD_IMAGES_PROJECT: libssh/build-images
   CENTOS7_BUILD: buildenv-centos7
-  COVERITY_BUILD: buildenv-coverity
+  CENTOS8_BUILD: buildenv-c8s
+  CENTOS9_BUILD: buildenv-c9s
   FEDORA_BUILD: buildenv-fedora
   MINGW_BUILD: buildenv-mingw
   TUMBLEWEED_BUILD: buildenv-tumbleweed
   UBUNTU_BUILD: buildenv-ubuntu
-  RAWHIDE_BUILD: buildenv-rawhide
+  ALPINE_BUILD: buildenv-alpine
 
 stages:
+  - review
   - build
   - test
   - analysis
@@ -61,18 +63,27 @@ stages:
   variables:
     CMAKE_ADDITIONAL_OPTIONS: -DWITH_PKCS11_URI=ON
 
-.fedora_rawhide:
-  extends: .fedora
-  image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$RAWHIDE_BUILD
-  before_script:
-    - *build
-    # Legacy cp is needed for SHA1 tests to pass
-    - update-crypto-policies --set LEGACY
-
 .tumbleweed:
   extends: .tests
   image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$TUMBLEWEED_BUILD
 
+.fips:
+  extends: .tests
+  variables:
+    # DSA is turned off in fips mode
+    CMAKE_ADDITIONAL_OPTIONS: -DWITH_PKCS11_URI=ON -DWITH_DSA=OFF
+  before_script:
+    - *build
+    - echo "# userspace fips" > /etc/system-fips
+    # We do not need the kernel part, but in case we ever do:
+    # mkdir -p /var/tmp/userspace-fips
+    # echo 1 > /var/tmp/userspace-fips/fips_enabled
+    # mount --bind /var/tmp/userspace-fips/fips_enabled \
+    # /proc/sys/crypto/fips_enabled
+    - update-crypto-policies --show
+    - update-crypto-policies --set FIPS
+    - update-crypto-policies --show
+
 
 ###############################################################################
 #                               CentOS builds                                 #
@@ -86,6 +97,43 @@ centos7/openssl_1.0.x/x86_64:
       make -j$(nproc) &&
       ctest --output-on-failure
 
+centos9s/openssl_3.0.x/x86_64:
+  image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$CENTOS9_BUILD
+  extends: .tests
+  variables:
+    CMAKE_ADDITIONAL_OPTIONS: -DWITH_PKCS11_URI=ON
+  script:
+    - export OPENSSL_ENABLE_SHA1_SIGNATURES=1
+    - cmake $CMAKE_OPTIONS $CMAKE_ADDITIONAL_OPTIONS .. &&
+      make -j$(nproc) &&
+      ctest --output-on-failure
+
+centos9s/openssl_3.0.x/x86_64/fips:
+  extends: .fips
+  image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$CENTOS9_BUILD
+  script:
+    - export OPENSSL_ENABLE_SHA1_SIGNATURES=1
+    - cmake $CMAKE_OPTIONS $CMAKE_ADDITIONAL_OPTIONS .. &&
+      make -j$(nproc) &&
+      OPENSSL_FORCE_FIPS_MODE=1 ctest --output-on-failure
+
+centos8s/openssl_1.1.1/x86_64:
+  image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$CENTOS8_BUILD
+  extends: .tests
+  variables:
+    CMAKE_ADDITIONAL_OPTIONS: -DWITH_PKCS11_URI=ON
+  script:
+    - cmake $CMAKE_OPTIONS $CMAKE_ADDITIONAL_OPTIONS .. &&
+      make -j$(nproc) &&
+      ctest --output-on-failure
+
+centos8s/openssl_1.1.1/x86_64/fips:
+  extends: .fips
+  image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$CENTOS8_BUILD
+  script:
+    - cmake $CMAKE_OPTIONS $CMAKE_ADDITIONAL_OPTIONS .. &&
+      make -j$(nproc) &&
+      OPENSSL_FORCE_FIPS_MODE=1 ctest --output-on-failure
 
 ###############################################################################
 #                               Fedora builds                                 #
@@ -106,79 +154,11 @@ fedora/ninja:
   script:
     - cmake -G Ninja $CMAKE_OPTIONS ../ && ninja && ninja test
 
-fedora/openssl_1.1.x/x86_64:
+fedora/openssl_3.0.x/x86_64:
   extends: .fedora
 
-fedora/openssl_1.1.x/x86_64/fips:
+fedora/openssl_3.0.x/x86_64/minimal:
   extends: .fedora
-  before_script:
-    - echo "# userspace fips" > /etc/system-fips
-    # We do not need the kernel part, but in case we ever do:
-    # mkdir -p /var/tmp/userspace-fips
-    # echo 1 > /var/tmp/userspace-fips/fips_enabled
-    # mount --bind /var/tmp/userspace-fips/fips_enabled \
-    # /proc/sys/crypto/fips_enabled
-    - update-crypto-policies --show
-    - update-crypto-policies --set FIPS
-    - update-crypto-policies --show
-    - mkdir -p obj && cd obj && cmake
-      -DCMAKE_BUILD_TYPE=RelWithDebInfo
-      -DPICKY_DEVELOPER=ON
-      -DWITH_BLOWFISH_CIPHER=ON
-      -DWITH_SFTP=ON -DWITH_SERVER=ON -DWITH_ZLIB=ON -DWITH_PCAP=ON
-      -DWITH_DEBUG_CRYPTO=ON -DWITH_DEBUG_PACKET=ON -DWITH_DEBUG_CALLTRACE=ON
-      -DWITH_DSA=ON
-      -DUNIT_TESTING=ON -DCLIENT_TESTING=ON -DSERVER_TESTING=ON ..
-  script:
-    - cmake $CMAKE_OPTIONS .. &&
-      make -j$(nproc) &&
-      OPENSSL_FORCE_FIPS_MODE=1 ctest --output-on-failure
-
-fedora/openssl_1.1.x/x86_64/minimal:
-  extends: .fedora
-  variables:
-  script:
-    - cmake $CMAKE_DEFAULT_OPTIONS
-      -DWITH_SFTP=OFF
-      -DWITH_SERVER=OFF
-      -DWITH_ZLIB=OFF
-      -DWITH_PCAP=OFF
-      -DWITH_DSA=OFF
-      -DUNIT_TESTING=ON
-      -DCLIENT_TESTING=ON
-      -DWITH_GEX=OFF .. &&
-      make -j$(nproc)
-
-fedora/openssl_3.0/x86_64:
-  extends: .fedora_rawhide
-
-fedora/openssl_3.0/x86_64/fips:
-  extends: .fedora_rawhide
-  before_script:
-    - echo "# userspace fips" > /etc/system-fips
-    # We do not need the kernel part, but in case we ever do:
-    # mkdir -p /var/tmp/userspace-fips
-    # echo 1 > /var/tmp/userspace-fips/fips_enabled
-    # mount --bind /var/tmp/userspace-fips/fips_enabled \
-    # /proc/sys/crypto/fips_enabled
-    - update-crypto-policies --show
-    - update-crypto-policies --set FIPS
-    - update-crypto-policies --show
-    - mkdir -p obj && cd obj && cmake
-      -DCMAKE_BUILD_TYPE=RelWithDebInfo
-      -DPICKY_DEVELOPER=ON
-      -DWITH_BLOWFISH_CIPHER=ON
-      -DWITH_SFTP=ON -DWITH_SERVER=ON -DWITH_ZLIB=ON -DWITH_PCAP=ON
-      -DWITH_DEBUG_CRYPTO=ON -DWITH_DEBUG_PACKET=ON -DWITH_DEBUG_CALLTRACE=ON
-      -DWITH_DSA=ON
-      -DUNIT_TESTING=ON -DCLIENT_TESTING=ON -DSERVER_TESTING=ON ..
-  script:
-    - cmake $CMAKE_OPTIONS .. &&
-      make -j$(nproc) &&
-      OPENSSL_FORCE_FIPS_MODE=1 ctest --output-on-failure
-
-fedora/openssl_3.0/x86_64/minimal:
-  extends: .fedora_rawhide
   variables:
   script:
     - cmake $CMAKE_DEFAULT_OPTIONS
@@ -316,19 +296,8 @@ fedora/mingw32:
     paths:
       - obj-csbuild/
 
-fedora/csbuild/openssl_1.1.x:
-  extends: .csbuild
-  script:
-    - csbuild
-      --build-dir=obj-csbuild
-      --build-cmd "rm -rf CMakeFiles CMakeCache.txt && cmake -DCMAKE_BUILD_TYPE=Debug -DPICKY_DEVELOPER=ON -DUNIT_TESTING=ON -DCLIENT_TESTING=ON -DSERVER_TESTING=ON -DFUZZ_TESTING=ON -DWITH_DSA=ON @SRCDIR@ && make clean && make -j$(nproc)"
-      --git-commit-range $CI_COMMIT_RANGE
-      --color
-      --print-current --print-fixed
-
 fedora/csbuild/openssl_3.0.x:
   extends: .csbuild
-  image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$RAWHIDE_BUILD
   script:
     - csbuild
       --build-dir=obj-csbuild
@@ -361,20 +330,37 @@ fedora/csbuild/mbedtls:
 ###############################################################################
 #                               Ubuntu builds                                 #
 ###############################################################################
-ubuntu/openssl_1.1.x/x86_64:
+ubuntu/openssl_3.0.x/x86_64:
   image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$UBUNTU_BUILD
   extends: .tests
 
 
+###############################################################################
+#                               Alpine builds                                 #
+###############################################################################
+alpine/openssl_3.0.x/musl:
+  image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$ALPINE_BUILD
+  extends: .tests
+  script:
+    - cmake $CMAKE_DEFAULT_OPTIONS
+      -DWITH_SFTP=ON
+      -DWITH_SERVER=ON
+      -DWITH_ZLIB=ON
+      -DWITH_PCAP=ON
+      -DUNIT_TESTING=ON .. &&
+      make -j$(nproc) &&
+      ctest --output-on-failure
+
+
 ###############################################################################
 #                             Tumbleweed builds                               #
 ###############################################################################
-tumbleweed/openssl_1.1.x/x86_64/gcc:
+tumbleweed/openssl_3.0.x/x86_64/gcc:
   extends: .tumbleweed
   variables:
     CMAKE_ADDITIONAL_OPTIONS: "-DKRB5_CONFIG=/usr/lib/mit/bin/krb5-config"
 
-tumbleweed/openssl_1.1.x/x86/gcc:
+tumbleweed/openssl_3.0.x/x86/gcc:
   extends: .tumbleweed
   script:
     - cmake
@@ -385,14 +371,15 @@ tumbleweed/openssl_1.1.x/x86/gcc:
       -DWITH_ZLIB=ON
       -DWITH_PCAP=ON
       -DWITH_DSA=ON
-      -DUNIT_TESTING=ON ..
+      -DUNIT_TESTING=ON .. &&
+      make -j$(nproc)
 
-tumbleweed/openssl_1.1.x/x86_64/gcc7:
+tumbleweed/openssl_3.0.x/x86_64/gcc7:
   extends: .tumbleweed
   variables:
     CMAKE_ADDITIONAL_OPTIONS: "-DCMAKE_C_COMPILER=gcc-7 -DCMAKE_CXX_COMPILER=g++-7 -DKRB5_CONFIG=/usr/lib/mit/bin/krb5-config"
 
-tumbleweed/openssl_1.1.x/x86/gcc7:
+tumbleweed/openssl_3.0.x/x86/gcc7:
   extends: .tumbleweed
   script:
     - cmake
@@ -405,7 +392,7 @@ tumbleweed/openssl_1.1.x/x86/gcc7:
       make -j$(nproc) &&
       ctest --output-on-failure
 
-tumbleweed/openssl_1.1.x/x86_64/clang:
+tumbleweed/openssl_3.0.x/x86_64/clang:
   extends: .tumbleweed
   variables:
     CMAKE_ADDITIONAL_OPTIONS: "-DCMAKE_C_COMPILER=clang -DCMAKE_CXX_COMPILER=clang++ -DKRB5_CONFIG=/usr/lib/mit/bin/krb5-config"
@@ -437,7 +424,7 @@ tumbleweed/static-analysis:
 ###############################################################################
 # That is a specific runner that we cannot enable universally.
 # We restrict it to builds under the $BUILD_IMAGES_PROJECT project.
-freebsd/x86_64:
+freebsd/openssl_1.1.1/x86_64:
   image:
   extends: .tests
   before_script:
@@ -490,8 +477,6 @@ freebsd/x86_64:
     paths:
       - obj/
   before_script:
-    - choco install --no-progress -y cmake
-    - $env:Path += ';C:\Program Files\CMake\bin'
     - If (!(test-path .vcpkg\archives)) { mkdir -p .vcpkg\archives }
     - $env:VCPKG_DEFAULT_BINARY_CACHE="$PWD\.vcpkg\archives"
     - echo $env:VCPKG_DEFAULT_BINARY_CACHE
@@ -531,7 +516,7 @@ visualstudio/x86:
 
 coverity:
   stage: analysis
-  image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$COVERITY_BUILD
+  image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$CENTOS9_BUILD
   script:
     - mkdir obj && cd obj
     - wget https://scan.coverity.com/download/linux64 --post-data "token=$COVERITY_SCAN_TOKEN&project=$COVERITY_SCAN_PROJECT_NAME" -O /tmp/coverity_tool.tgz
@@ -561,3 +546,14 @@ coverity:
     when: on_failure
     paths:
       - obj/cov-int/*.txt
+
+###############################################################################
+#                                 Codespell                                   #
+###############################################################################
+codespell:
+  stage: review
+  image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$FEDORA_BUILD
+  script:
+    - codespell --ignore-words-list=keypair,sorce,ned,nd,ue
+  tags:
+    - shared

CHANGELOG

@@ -1,7 +1,50 @@
 CHANGELOG
 =========
 
-version 0.10.0 (released 2022-07-xx)
+version 0.10.5 (released 2023-05-04)
+ * Fix CVE-2023-1667: a NULL dereference during rekeying with algorithm guessing
+ * Fix CVE-2023-2283: a possible authorization bypass in
+   pki_verify_data_signature under low-memory conditions.
+ * Fix several memory leaks in GSSAPI handling code
+ * Escape braces in ProxyCommand created from ProxyJump options for zsh
+   compatibility.
+ * Fix pkg-config path relocation for MinGW
+ * Improve doxygen documentation
+ * Fix build with cygwin due to the glob support
+ * Do not enqueue outgoing packets after sending SSH2_MSG_NEWKEYS
+ * Add support for SSH_SUPPRESS_DEPRECATED
+ * Avoid functions declarations without prototype to build with clang 15
+ * Fix spelling issues
+ * Avoid expanding KnownHosts, ProxyCommands and IdentityFiles repetitively
+ * Add support sk-* keys through configuration
+ * Improve checking for Argp library
+ * Log information about received extensions
+ * Correctly handle rekey with delayed compression
+ * Move the EC keys handling to OpenSSL 3.0 API
+ * Record peer disconnect message
+ * Avoid deadlock when write buffering occurs and we call poll recursively to
+   flush the output buffer
+ * Disable preauthentication compression by default
+ * Add CentOS 8 Stream / OpenSSL 1.1.1 to CI
+ * Add accidentally removed default compile flags
+ * Solve incorrect parsing of ProxyCommand option
+
+version 0.10.4 (released 2022-09-07)
+  * Fixed issues with KDF on big endian
+
+version 0.10.3 (released 2022-09-05)
+  * Fixed possible infinite loop in known hosts checking
+
+version 0.10.2 (released 2022-09-02)
+  * Fixed tilde expansion when handling include directives
+  * Fixed building the shared torture library
+  * Made rekey test more robust (fixes running on i586 build systems e.g koji)
+
+version 0.10.1 (released 2022-08-30)
+  * Fixed proxycommand support
+  * Fixed musl libc support
+
+version 0.10.0 (released 2022-08-26)
   * Added support for OpenSSL 3.0
   * Added support for mbedTLS 3
   * Added support for Smart Cards  (through openssl pkcs11 engine)
@@ -25,6 +68,9 @@ version 0.10.0 (released 2022-07-xx)
   * Deprecated old pubkey, privatekey API
   * Avoided some needless large stack buffers to minimize memory footprint
   * Removed support for OpenSSL < 1.0.1
+  * Fixed parsing username@host in login name
+  * Free global init mutex in the destructor on Windows
+  * Fixed PEM parsing in mbedtls to support both legacy and new PKCS8 formats
 
 version 0.9.6 (released 2021-08-26)
   * CVE-2021-3634: Fix possible heap-buffer overflow when rekeying with
@@ -57,7 +103,7 @@ version 0.9.4 (released 2020-04-09)
   * Fixed CVE-2020-1730 - Possible DoS in client and server when handling
     AES-CTR keys with OpenSSL
   * Added diffie-hellman-group14-sha256
-  * Fixed serveral possible memory leaks
+  * Fixed several possible memory leaks
 
 version 0.9.3 (released 2019-12-10)
   * Fixed CVE-2019-14889 - SCP: Unsanitized location leads to command execution
@@ -208,7 +254,7 @@ version 0.6.1 (released 2014-02-08)
   * Fixed DSA signature extraction.
   * Fixed some memory leaks.
   * Fixed read of non-connected socket.
-  * Fixed thread dectection.
+  * Fixed thread detection.
 
 version 0.6.0 (released 2014-01-08)
   * Added new publicy key API.
@@ -233,7 +279,7 @@ version 0.6.0 (released 2014-01-08)
 version 0.5.5 (released 2013-07-26)
   * BUG 103: Fix ProxyCommand parsing.
   * Fix setting -D_FORTIFY_SOURCE=2.
-  * Fix pollset error return if emtpy.
+  * Fix pollset error return if empty.
   * Fix NULL pointer checks in channel functions.
   * Several bugfixes.
 
@@ -249,7 +295,7 @@ version 0.5.3 (released 2012-11-20)
   * BUG #84 - Fix bug in sftp_mkdir not returning on error.
   * BUG #85 - Fixed a possible channel infinite loop if the connection dropped.
   * BUG #88 - Added missing channel request_state and set it to accepted.
-  * BUG #89 - Reset error state to no error on successful SSHv1 authentiction.
+  * BUG #89 - Reset error state to no error on successful SSHv1 authentication.
   * Fixed a possible use after free in ssh_free().
   * Fixed multiple possible NULL pointer dereferences.
   * Fixed multiple memory leaks in error paths.
@@ -310,7 +356,7 @@ version 0.4.7 (released 2010-12-28)
   * Fixed a possible memory leak in ssh_get_user_home().
   * Fixed a memory leak in sftp_xstat.
   * Fixed uninitialized fd->revents member.
-  * Fixed timout value in ssh_channel_accept().
+  * Fixed timeout value in ssh_channel_accept().
   * Fixed length checks in ssh_analyze_banner().
   * Fixed a possible data overread and crash bug.
   * Fixed setting max_fd which breaks ssh_select().
@@ -333,7 +379,7 @@ version 0.4.5 (released 2010-07-13)
   * Added option to bind a client to an ip address.
   * Fixed the ssh socket polling function.
   * Fixed Windows related bugs in bsd_poll().
-  * Fixed serveral build warnings.
+  * Fixed several build warnings.
 
 version 0.4.4 (released 2010-06-01)
   * Fixed a bug in the expand function for escape sequences.
@@ -352,17 +398,17 @@ version 0.4.3 (released 2010-05-18)
   * Fixed sftp_chown.
   * Fixed sftp_rename on protocol version 3.
   * Fixed a blocking bug in channel_poll.
-  * Fixed config parsing wich has overwritten user specified values.
+  * Fixed config parsing which has overwritten user specified values.
   * Fixed hashed [host]:port format in knownhosts
   * Fixed Windows build.
-  * Fixed doublefree happening after a negociation error.
+  * Fixed doublefree happening after a negotiation error.
   * Fixed aes*-ctr with <= OpenSSL 0.9.7b.
   * Fixed some documentation.
   * Fixed exec example which has broken read usage.
   * Fixed broken algorithm choice for server.
   * Fixed a typo that we don't export all symbols.
   * Removed the unneeded dependency to doxygen.
-  * Build examples only on the Linux plattform.
+  * Build examples only on the Linux platform.
 
 version 0.4.2 (released 2010-03-15)
   * Added owner and group information in sftp attributes.
@@ -384,7 +430,7 @@ version 0.4.1 (released 2010-02-13)
   * Added an example for exec.
   * Added private key type detection feature in privatekey_from_file().
   * Fixed zlib compression fallback.
-  * Fixed kex bug that client preference should be prioritary
+  * Fixed kex bug that client preference should be priority
   * Fixed known_hosts file set by the user.
   * Fixed a memleak in channel_accept().
   * Fixed underflow when leave_function() are unbalanced
@@ -522,7 +568,7 @@ version 0.11-dev
   * Keyboard-interactive authentication working.
 
 version 0.1 (released 2004-03-05)
-  * Begining of sftp subsystem implementation.
+  * Beginning of sftp subsystem implementation.
   * Some cleanup into channels implementation
   * Now every channel functions is called by its CHANNEL handler.
   * Added channel_poll() and channel_read().
@@ -543,7 +589,7 @@ version 0.0.4 (released 2003-10-10)
   * Added a wrapper.c file. The goal is to provide a similar API to every
     cryptographic functions. bignums and sha/md5 are wrapped now.
   * More work than it first looks.
-  * Support for other crypto libs planed (lighter libs)
+  * Support for other crypto libs planned (lighter libs)
   * Fixed stupid select() bug.
   * Libssh now compiles and links with openssl 0.9.6
   * RSA pubkey authentication code now works !

CMakeLists.txt

@@ -10,7 +10,7 @@ list(APPEND CMAKE_MODULE_PATH "${CMAKE_CURRENT_SOURCE_DIR}/cmake/Modules")
 include(DefineCMakeDefaults)
 include(DefineCompilerFlags)
 
-project(libssh VERSION 0.10.0 LANGUAGES C)
+project(libssh VERSION 0.10.5 LANGUAGES C)
 
 # global needed variable
 set(APPLICATION_NAME ${PROJECT_NAME})
@@ -22,7 +22,7 @@ set(APPLICATION_NAME ${PROJECT_NAME})
 #     Increment AGE. Set REVISION to 0
 #   If the source code was changed, but there were no interface changes:
 #     Increment REVISION.
-set(LIBRARY_VERSION "4.9.0")
+set(LIBRARY_VERSION "4.9.5")
 set(LIBRARY_SOVERSION "4")
 
 # where to look first for cmake modules, before ${CMAKE_ROOT}/Modules/ is checked
@@ -103,9 +103,7 @@ if (WITH_NACL)
     endif (NOT NACL_FOUND)
 endif (WITH_NACL)
 
-if (BSD OR SOLARIS OR OSX OR CYGWIN)
-    find_package(Argp)
-endif (BSD OR SOLARIS OR OSX OR CYGWIN)
+find_package(Argp)
 
 # Disable symbol versioning in non UNIX platforms
 if (UNIX)
@@ -125,7 +123,7 @@ add_subdirectory(src)
 
 # pkg-config file
 if (UNIX OR MINGW)
-configure_file(libssh.pc.cmake ${CMAKE_CURRENT_BINARY_DIR}/libssh.pc)
+configure_file(libssh.pc.cmake ${CMAKE_CURRENT_BINARY_DIR}/libssh.pc @ONLY)
 install(
   FILES
     ${CMAKE_CURRENT_BINARY_DIR}/libssh.pc

CONTRIBUTING.md

@@ -274,7 +274,7 @@ This is bad:
      * This is a multi line comment,
      * with some more words...*/
 
-### Indention & Whitespace & 80 columns
+### Indentation & Whitespace & 80 columns
 
 To avoid confusion, indentations have to be 4 spaces. Do not use tabs!.  When
 wrapping parameters for function calls, align the parameter list with the first

CPackConfig.cmake

@@ -10,7 +10,7 @@ set(CPACK_PACKAGE_VERSION ${PROJECT_VERSION})
 
 # SOURCE GENERATOR
 set(CPACK_SOURCE_GENERATOR "TXZ")
-set(CPACK_SOURCE_IGNORE_FILES "~$;[.]swp$;/[.]git/;/[.]clangd/;/[.]cache/;.gitignore;/build*;/obj*;tags;cscope.*;compile_commands.json;.*\.patch")
+set(CPACK_SOURCE_IGNORE_FILES "~$;[.]swp$;/[.]git;/[.]clangd/;/[.]cache/;.gitignore;/build*;/obj*;tags;cscope.*;compile_commands.json;.*\.patch")
 set(CPACK_SOURCE_PACKAGE_FILE_NAME "${CPACK_PACKAGE_NAME}-${CPACK_PACKAGE_VERSION}")
 
 ### NSIS INSTALLER

CompilerChecks.cmake

@@ -70,7 +70,7 @@ if (UNIX)
     check_c_compiler_flag_ssp("-fstack-protector-strong" WITH_STACK_PROTECTOR_STRONG)
     if (WITH_STACK_PROTECTOR_STRONG)
         list(APPEND SUPPORTED_COMPILER_FLAGS "-fstack-protector-strong")
-        # This is needed as Solaris has a seperate libssp
+        # This is needed as Solaris has a separate libssp
         if (SOLARIS)
             list(APPEND SUPPORTED_LINKER_FLAGS "-fstack-protector-strong")
         endif()
@@ -78,7 +78,7 @@ if (UNIX)
         check_c_compiler_flag_ssp("-fstack-protector" WITH_STACK_PROTECTOR)
         if (WITH_STACK_PROTECTOR)
             list(APPEND SUPPORTED_COMPILER_FLAGS "-fstack-protector")
-            # This is needed as Solaris has a seperate libssp
+            # This is needed as Solaris has a separate libssp
             if (SOLARIS)
                 list(APPEND SUPPORTED_LINKER_FLAGS "-fstack-protector")
             endif()

ConfigureChecks.cmake

@@ -104,6 +104,10 @@ if (OPENSSL_FOUND)
     set(CMAKE_REQUIRED_LIBRARIES ${OPENSSL_CRYPTO_LIBRARIES})
     check_function_exists(EVP_KDF_CTX_new_id HAVE_OPENSSL_EVP_KDF_CTX_NEW_ID)
 
+    set(CMAKE_REQUIRED_INCLUDES ${OPENSSL_INCLUDE_DIR})
+    set(CMAKE_REQUIRED_LIBRARIES ${OPENSSL_CRYPTO_LIBRARIES})
+    check_function_exists(EVP_KDF_CTX_new HAVE_OPENSSL_EVP_KDF_CTX_NEW)
+
     set(CMAKE_REQUIRED_INCLUDES ${OPENSSL_INCLUDE_DIR})
     set(CMAKE_REQUIRED_LIBRARIES ${OPENSSL_CRYPTO_LIBRARIES})
     check_function_exists(FIPS_mode HAVE_OPENSSL_FIPS_MODE)
@@ -159,6 +163,11 @@ if (NOT WITH_GCRYPT AND NOT WITH_MBEDTLS)
     if (HAVE_OPENSSL_ECC)
         set(HAVE_ECC 1)
     endif (HAVE_OPENSSL_ECC)
+
+    if (HAVE_OPENSSL_EVP_KDF_CTX_NEW_ID OR HAVE_OPENSSL_EVP_KDF_CTX_NEW)
+        set(HAVE_OPENSSL_EVP_KDF_CTX 1)
+    endif (HAVE_OPENSSL_EVP_KDF_CTX_NEW_ID OR HAVE_OPENSSL_EVP_KDF_CTX_NEW)
+
 endif ()
 
 if (WITH_DSA)
@@ -311,7 +320,7 @@ int main(void) {
 # For detecting attributes we need to treat warnings as
 # errors
 if (UNIX OR MINGW)
-    # Get warnings for attributs
+    # Get warnings for attributes
     check_c_compiler_flag("-Wattributes" REQUIRED_FLAGS_WERROR)
     if (REQUIRED_FLAGS_WERROR)
         string(APPEND CMAKE_REQUIRED_FLAGS "-Wattributes ")
@@ -366,6 +375,23 @@ int main(void) {
     return 0;
 }" HAVE_FALLTHROUGH_ATTRIBUTE)
 
+check_c_source_compiles("
+#define WEAK __attribute__((weak))
+
+WEAK int sum(int a, int b)
+{
+    return a + b;
+}
+
+int main(void)
+{
+    int i = sum(2, 2);
+
+    (void)i;
+
+    return 0;
+}" HAVE_WEAK_ATTRIBUTE)
+
 if (NOT WIN32)
     check_c_source_compiles("
     #define __unused __attribute__((unused))
@@ -468,6 +494,10 @@ if (WITH_PKCS11_URI)
         message(FATAL_ERROR "PKCS #11 is not supported for mbedcrypto")
         set(WITH_PKCS11_URI 0)
     endif()
+    if (HAVE_OPENSSL AND NOT OPENSSL_VERSION VERSION_GREATER_EQUAL "1.1.1")
+        message(FATAL_ERROR "PKCS #11 requires at least OpenSSL 1.1.1")
+        set(WITH_PKCS11_URI 0)
+    endif()
 endif()
 
 if (WITH_MBEDTLS)

DefineOptions.cmake

@@ -2,7 +2,7 @@ option(WITH_GSSAPI "Build with GSSAPI support" ON)
 option(WITH_ZLIB "Build with ZLIB support" ON)
 option(WITH_SFTP "Build with SFTP support" ON)
 option(WITH_SERVER "Build with SSH server support" ON)
-option(WITH_DEBUG_CRYPTO "Build with cryto debug output" OFF)
+option(WITH_DEBUG_CRYPTO "Build with crypto debug output" OFF)
 option(WITH_DEBUG_PACKET "Build with packet debug output" OFF)
 option(WITH_DEBUG_CALLTRACE "Build with calltrace debug output" ON)
 option(WITH_DSA "Build with DSA" OFF)
@@ -16,7 +16,7 @@ option(WITH_PKCS11_URI "Build with PKCS#11 URI support" OFF)
 option(UNIT_TESTING "Build with unit tests" OFF)
 option(CLIENT_TESTING "Build with client tests; requires openssh" OFF)
 option(SERVER_TESTING "Build with server tests; requires openssh and dropbear" OFF)
-option(WITH_BENCHMARKS "Build benchmarks tools" OFF)
+option(WITH_BENCHMARKS "Build benchmarks tools; enables unit testing and client tests" OFF)
 option(WITH_EXAMPLES "Build examples" ON)
 option(WITH_NACL "Build with libnacl (curve25519)" ON)
 option(WITH_SYMBOL_VERSIONING "Build with symbol versioning" ON)

INSTALL

@@ -39,7 +39,7 @@ GNU/Linux, MacOS X, MSYS/MinGW:
     cmake -DUNIT_TESTING=ON -DCMAKE_INSTALL_PREFIX=/usr -DCMAKE_BUILD_TYPE=Debug ..
     make
 
-On Windows you should choose a makefile gernerator with -G or use
+On Windows you should choose a makefile generator with -G or use
 
     cmake-gui.exe ..
 

cmake/Modules/DefineCMakeDefaults.cmake

@@ -6,7 +6,7 @@ set(CMAKE_INCLUDE_CURRENT_DIR ON)
 
 # Put the include dirs which are in the source or build tree
 # before all other include dirs, so the headers in the sources
-# are prefered over the already installed ones
+# are preferred over the already installed ones
 # since cmake 2.4.1
 set(CMAKE_INCLUDE_DIRECTORIES_PROJECT_BEFORE ON)
 

cmake/Modules/FindArgp.cmake

@@ -1,4 +1,8 @@
 # - Try to find ARGP
+#
+# The argp can be either shipped as part of libc (ex. glibc) or as a separate
+# library that requires additional linking (ex. Windows, Mac, musl libc, ...)
+#
 # Once done this will define
 #
 #  ARGP_ROOT_DIR - Set this variable to the root installation of ARGP

cmake/Modules/FindGSSAPI.cmake

@@ -5,7 +5,7 @@
 #  GSSAPI_ROOT_DIR - Set this variable to the root installation of GSSAPI
 #
 # Read-Only variables:
-#  GSSAPI_FLAVOR_MIT - set to TURE if MIT Kerberos has been found
+#  GSSAPI_FLAVOR_MIT - set to TRUE if MIT Kerberos has been found
 #  GSSAPI_FLAVOR_HEIMDAL - set to TRUE if Heimdal Keberos has been found
 #  GSSAPI_FOUND - system has GSSAPI
 #  GSSAPI_INCLUDE_DIR - the GSSAPI include directory

config.h.cmake

@@ -82,13 +82,13 @@
 /* Define to 1 if you have the <pthread.h> header file. */
 #cmakedefine HAVE_PTHREAD_H 1
 
-/* Define to 1 if you have eliptic curve cryptography in openssl */
+/* Define to 1 if you have elliptic curve cryptography in openssl */
 #cmakedefine HAVE_OPENSSL_ECC 1
 
-/* Define to 1 if you have eliptic curve cryptography in gcrypt */
+/* Define to 1 if you have elliptic curve cryptography in gcrypt */
 #cmakedefine HAVE_GCRYPT_ECC 1
 
-/* Define to 1 if you have eliptic curve cryptography */
+/* Define to 1 if you have elliptic curve cryptography */
 #cmakedefine HAVE_ECC 1
 
 /* Define to 1 if you have DSA */
@@ -114,8 +114,8 @@
 /* Define to 1 if you have the `EVP_chacha20' function. */
 #cmakedefine HAVE_OPENSSL_EVP_CHACHA20 1
 
-/* Define to 1 if you have the `EVP_KDF_CTX_new_id' function. */
-#cmakedefine HAVE_OPENSSL_EVP_KDF_CTX_NEW_ID 1
+/* Define to 1 if you have the `EVP_KDF_CTX_new_id' or `EVP_KDF_CTX_new` function. */
+#cmakedefine HAVE_OPENSSL_EVP_KDF_CTX 1
 
 /* Define to 1 if you have the `FIPS_mode' function. */
 #cmakedefine HAVE_OPENSSL_FIPS_MODE 1
@@ -225,6 +225,7 @@
 
 #cmakedefine HAVE_FALLTHROUGH_ATTRIBUTE 1
 #cmakedefine HAVE_UNUSED_ATTRIBUTE 1
+#cmakedefine HAVE_WEAK_ATTRIBUTE 1
 
 #cmakedefine HAVE_CONSTRUCTOR_ATTRIBUTE 1
 #cmakedefine HAVE_DESTRUCTOR_ATTRIBUTE 1

doc/CMakeLists.txt

@@ -18,7 +18,8 @@ if (DOXYGEN_FOUND)
     set(DOXYGEN_PREDEFINED DOXYGEN
                            WITH_SERVER
                            WITH_SFTP
-                           PRINTF_ATTRIBUTE(x,y))
+                           PRINTF_ATTRIBUTE\(x,y\))
+    set(DOXYGEN_DOT_GRAPH_MAX_NODES 100)
 
     set(DOXYGEN_EXCLUDE ${CMAKE_CURRENT_SOURCE_DIR}/that_style)
     set(DOXYGEN_HTML_HEADER ${CMAKE_CURRENT_SOURCE_DIR}/that_style/header.html)

doc/curve25519-sha256@libssh.org.txt

@@ -3,13 +3,13 @@ curve25519-sha256@libssh.org.txt        Aris Adamantiadis <aris@badcode.be>
 
 1. Introduction
 
-This document describes the key exchange methode curve25519-sha256@libssh.org
+This document describes the key exchange method curve25519-sha256@libssh.org
 for SSH version 2 protocol. It is provided as an alternative to the existing
 key exchange mechanisms based on either Diffie-Hellman or Elliptic Curve Diffie-
 Hellman [RFC5656].
 The reason is the following : During summer of 2013, revelations from ex-
 consultant at NSA Edward Snowden gave proof that NSA willingly inserts backdoors
-into softwares, hardware components and published standards. While it is still
+into software, hardware components and published standards. While it is still
 believed that the mathematics behind ECC cryptography are still sound and solid,
 some people (including Bruce Schneier [SCHNEIER]), showed their lack of confidence
 in NIST-published curves such as nistp256, nistp384, nistp521, for which constant
@@ -42,8 +42,8 @@ The following is an overview of the key exchange process:
 Client                                                            Server
 ------                                                            ------
 Generate ephemeral key pair.
-SSH_MSG_KEX_ECDH_INIT          -------->                      
-                                            Verify that client public key 
+SSH_MSG_KEX_ECDH_INIT          -------->
+                                            Verify that client public key
                                             length is 32 bytes.
                                              Generate ephemeral key pair.
                                                    Compute shared secret.
@@ -55,7 +55,7 @@ Compute shared secret.
 Generate exchange hash.
 Verify server's signature.
 
-*   Optional but strongly recommanded as this protects against MITM attacks.
+*   Optional but strongly recommended as this protects against MITM attacks.
 
 This is implemented using the same messages as described in RFC5656 chapter 4
 
@@ -109,7 +109,7 @@ This number is calculated using the following procedure:
      side's public key and the local private key scalar.
 
      The whole 32 bytes of the number X are then converted into a big integer k.
-     This conversion follows the network byte order. This step differs from 
+     This conversion follows the network byte order. This step differs from
      RFC5656.
 
 [RFC5656]    https://tools.ietf.org/html/rfc5656

doc/mainpage.dox

@@ -149,7 +149,7 @@ The libssh Team
 
 @subsection main-rfc-secsh Secure Shell (SSH)
 
-The following RFC documents described SSH-2 protcol as an Internet standard.
+The following RFC documents described SSH-2 protocol as an Internet standard.
 
  - <a href="https://tools.ietf.org/html/rfc4250" target="_blank">RFC 4250</a>,
     The Secure Shell (SSH) Protocol Assigned Numbers

examples/CMakeLists.txt

@@ -39,34 +39,34 @@ if (UNIX AND NOT WIN32)
     target_compile_options(ssh-X11-client PRIVATE ${DEFAULT_C_COMPILE_FLAGS})
     target_link_libraries(ssh-X11-client ssh::ssh)
 
-    if (WITH_SERVER AND (ARGP_LIBRARY OR HAVE_ARGP_H))
+    if (WITH_SERVER AND (ARGP_LIBRARIES OR HAVE_ARGP_H))
         if (HAVE_LIBUTIL)
             add_executable(ssh_server_fork ssh_server.c)
             target_compile_options(ssh_server_fork PRIVATE ${DEFAULT_C_COMPILE_FLAGS} -DWITH_FORK)
-            target_link_libraries(ssh_server_fork ssh::ssh ${ARGP_LIBRARY} util)
+            target_link_libraries(ssh_server_fork ssh::ssh ${ARGP_LIBRARIES} util)
 
             add_executable(ssh_server_pthread ssh_server.c)
             target_compile_options(ssh_server_pthread PRIVATE ${DEFAULT_C_COMPILE_FLAGS})
-            target_link_libraries(ssh_server_pthread ssh::ssh ${ARGP_LIBRARY} pthread util)
+            target_link_libraries(ssh_server_pthread ssh::ssh ${ARGP_LIBRARIES} pthread util)
         endif (HAVE_LIBUTIL)
 
         if (WITH_GSSAPI AND GSSAPI_FOUND)
             add_executable(proxy proxy.c)
             target_compile_options(proxy PRIVATE ${DEFAULT_C_COMPILE_FLAGS})
-            target_link_libraries(proxy ssh::ssh ${ARGP_LIBRARY})
+            target_link_libraries(proxy ssh::ssh ${ARGP_LIBRARIES})
 
             add_executable(sshd_direct-tcpip sshd_direct-tcpip.c)
             target_compile_options(sshd_direct-tcpip PRIVATE ${DEFAULT_C_COMPILE_FLAGS})
-            target_link_libraries(sshd_direct-tcpip ssh::ssh ${ARGP_LIBRARY})
+            target_link_libraries(sshd_direct-tcpip ssh::ssh ${ARGP_LIBRARIES})
         endif (WITH_GSSAPI AND GSSAPI_FOUND)
 
         add_executable(samplesshd-kbdint samplesshd-kbdint.c)
         target_compile_options(samplesshd-kbdint PRIVATE ${DEFAULT_C_COMPILE_FLAGS})
-        target_link_libraries(samplesshd-kbdint ssh::ssh ${ARGP_LIBRARY})
+        target_link_libraries(samplesshd-kbdint ssh::ssh ${ARGP_LIBRARIES})
 
         add_executable(keygen2 keygen2.c ${examples_SRCS})
         target_compile_options(keygen2 PRIVATE ${DEFAULT_C_COMPILE_FLAGS})
-        target_link_libraries(keygen2 ssh::ssh ${ARGP_LIBRARY})
+        target_link_libraries(keygen2 ssh::ssh ${ARGP_LIBRARIES})
 
     endif()
 endif (UNIX AND NOT WIN32)
@@ -75,9 +75,9 @@ if (WITH_SERVER)
     add_executable(samplesshd-cb samplesshd-cb.c)
     target_compile_options(samplesshd-cb PRIVATE ${DEFAULT_C_COMPILE_FLAGS})
     target_link_libraries(samplesshd-cb ssh::ssh)
-    if (ARGP_LIBRARY OR HAVE_ARGP_H)
-        target_link_libraries(samplesshd-cb ${ARGP_LIBRARY})
-    endif(ARGP_LIBRARY OR HAVE_ARGP_H)
+    if (ARGP_LIBRARIES OR HAVE_ARGP_H)
+        target_link_libraries(samplesshd-cb ${ARGP_LIBRARIES})
+    endif(ARGP_LIBRARIES OR HAVE_ARGP_H)
 endif()
 
 add_executable(exec exec.c ${examples_SRCS})

examples/keygen2.c

@@ -38,6 +38,7 @@ struct arguments_st {
     unsigned long bits;
     char *file;
     char *passphrase;
+    int action_list;
 };
 
 static struct argp_option options[] = {
@@ -88,6 +89,14 @@ static struct argp_option options[] = {
                  "\"rsa\", \"ecdsa\", \"ed25519\", and \"dsa\".\n",
         .group = 0
     },
+    {
+        .name  = "list",
+        .key   = 'l',
+        .arg   = NULL,
+        .flags = 0,
+        .doc   = "List the Fingerprint of the given key\n",
+        .group = 0
+    },
     {
         /* End of the options */
         0
@@ -160,6 +169,9 @@ static error_t parse_opt (int key, char *arg, struct argp_state *state)
                 goto end;
             }
             break;
+        case 'l':
+            arguments->action_list = 1;
+            break;
         case ARGP_KEY_ARG:
             if (state->arg_num > 0) {
                 /* Too many arguments. */
@@ -185,98 +197,103 @@ static int validate_args(struct arguments_st *args)
         return EINVAL;
     }
 
-    switch(args->type) {
-        case SSH_KEYTYPE_RSA:
-            switch(args->bits) {
-                case 0:
-                    /* If not provided, use default value */
-                    args->bits = 3072;
-                    break;
-                case 1024:
-                case 2048:
-                case 3072:
-                case 4096:
-                case 8192:
-                    break;
-                default:
-                    fprintf(stderr, "Error: Invalid bits parameter provided\n");
-                    rc = EINVAL;
-                    break;
-            }
-
-            if (args->file == NULL) {
-                args->file = strdup("id_rsa");
-                if (args->file == NULL) {
-                    rc = ENOMEM;
-                    break;
-                }
-            }
+    /* no other arguments needed for listing key fingerprints */
+    if (args->action_list) {
+        return 0;
+    }
 
+    switch (args->type) {
+    case SSH_KEYTYPE_RSA:
+        switch (args->bits) {
+        case 0:
+            /* If not provided, use default value */
+            args->bits = 3072;
             break;
-        case SSH_KEYTYPE_ECDSA:
-            switch(args->bits) {
-                case 0:
-                    /* If not provided, use default value */
-                    args->bits = 256;
-                    break;
-                case 256:
-                case 384:
-                case 521:
-                    break;
-                default:
-                    fprintf(stderr, "Error: Invalid bits parameter provided\n");
-                    rc = EINVAL;
-                    break;
-            }
-            if (args->file == NULL) {
-                args->file = strdup("id_ecdsa");
-                if (args->file == NULL) {
-                    rc = ENOMEM;
-                    break;
-                }
-            }
-
-            break;
-        case SSH_KEYTYPE_DSS:
-            switch(args->bits) {
-                case 0:
-                    /* If not provided, use default value */
-                    args->bits = 1024;
-                    break;
-                case 1024:
-                case 2048:
-                    break;
-                default:
-                    fprintf(stderr, "Error: Invalid bits parameter provided\n");
-                    rc = EINVAL;
-                    break;
-            }
-            if (args->file == NULL) {
-                args->file = strdup("id_dsa");
-                if (args->file == NULL) {
-                    rc = ENOMEM;
-                    break;
-                }
-            }
-
-            break;
-        case SSH_KEYTYPE_ED25519:
-            /* Ignore value and overwrite with a zero */
-            args->bits = 0;
-
-            if (args->file == NULL) {
-                args->file = strdup("id_ed25519");
-                if (args->file == NULL) {
-                    rc = ENOMEM;
-                    break;
-                }
-            }
-
+        case 1024:
+        case 2048:
+        case 3072:
+        case 4096:
+        case 8192:
             break;
         default:
-            fprintf(stderr, "Error: unknown key type\n");
+            fprintf(stderr, "Error: Invalid bits parameter provided\n");
             rc = EINVAL;
             break;
+        }
+
+        if (args->file == NULL) {
+            args->file = strdup("id_rsa");
+            if (args->file == NULL) {
+                rc = ENOMEM;
+                break;
+            }
+        }
+
+        break;
+    case SSH_KEYTYPE_ECDSA:
+        switch (args->bits) {
+        case 0:
+            /* If not provided, use default value */
+            args->bits = 256;
+            break;
+        case 256:
+        case 384:
+        case 521:
+            break;
+        default:
+            fprintf(stderr, "Error: Invalid bits parameter provided\n");
+            rc = EINVAL;
+            break;
+        }
+        if (args->file == NULL) {
+            args->file = strdup("id_ecdsa");
+            if (args->file == NULL) {
+                rc = ENOMEM;
+                break;
+            }
+        }
+
+        break;
+    case SSH_KEYTYPE_DSS:
+        switch (args->bits) {
+        case 0:
+            /* If not provided, use default value */
+            args->bits = 1024;
+            break;
+        case 1024:
+        case 2048:
+            break;
+        default:
+            fprintf(stderr, "Error: Invalid bits parameter provided\n");
+            rc = EINVAL;
+            break;
+        }
+        if (args->file == NULL) {
+            args->file = strdup("id_dsa");
+            if (args->file == NULL) {
+                rc = ENOMEM;
+                break;
+            }
+        }
+
+        break;
+    case SSH_KEYTYPE_ED25519:
+        /* Ignore value and overwrite with a zero */
+        args->bits = 0;
+
+        if (args->file == NULL) {
+            args->file = strdup("id_ed25519");
+            if (args->file == NULL) {
+                rc = ENOMEM;
+                break;
+            }
+        }
+
+        break;
+    default:
+        fprintf(stderr, "Error: unknown key type\n");
+        rc = EINVAL;
+        break;
     }
 
     return rc;
@@ -289,6 +306,31 @@ static char doc[] = "Generate an SSH key pair. "
 /* Our argp parser */
 static struct argp argp = {options, parse_opt, NULL, doc, NULL, NULL, NULL};
 
+static void
+list_fingerprint(char *file)
+{
+    ssh_key key = NULL;
+    unsigned char *hash = NULL;
+    size_t hlen = 0;
+    int rc;
+
+    rc = ssh_pki_import_privkey_file(file, NULL, NULL, NULL, &key);
+    if (rc != SSH_OK) {
+        fprintf(stderr, "Failed to import private key %s\n", file);
+        return;
+    }
+
+    rc = ssh_get_publickey_hash(key, SSH_PUBLICKEY_HASH_SHA256, &hash, &hlen);
+    if (rc != SSH_OK) {
+        fprintf(stderr, "Failed to get key fingerprint\n");
+        return;
+    }
+    ssh_print_hash(SSH_PUBLICKEY_HASH_SHA256, hash, hlen);
+
+    ssh_clean_pubkey_hash(&hash);
+    ssh_key_free(key);
+}
+
 int main(int argc, char *argv[])
 {
     ssh_key key = NULL;
@@ -302,6 +344,7 @@ int main(int argc, char *argv[])
         .bits = 0,
         .file = NULL,
         .passphrase = NULL,
+        .action_list = 0,
     };
 
     if (argc < 2) {
@@ -319,6 +362,11 @@ int main(int argc, char *argv[])
         goto end;
     }
 
+    if (arguments.action_list && arguments.file) {
+        list_fingerprint(arguments.file);
+        goto end;
+    }
+
     errno = 0;
     rc = open(arguments.file, O_CREAT | O_EXCL | O_WRONLY, S_IRUSR | S_IWUSR);
     if (rc < 0) {

examples/samplesftp.c

@@ -47,7 +47,7 @@ static void do_sftp(ssh_session session) {
     int len = 1;
     unsigned int i;
     char data[BUF_SIZE] = {0};
-    char *lnk;
+    char *lnk = NULL;
 
     unsigned int count;
 
@@ -86,6 +86,7 @@ static void do_sftp(ssh_session session) {
         goto end;
     }
     printf("readlink /tmp/sftp_symlink_test: %s\n", lnk);
+    ssh_string_free_char(lnk);
 
     sftp_unlink(sftp, "/tmp/sftp_symlink_test");
 
@@ -173,7 +174,7 @@ static void do_sftp(ssh_session session) {
         sftp_attributes_free(file);
     }
 
-    /* when file = NULL, an error has occured OR the directory listing is end of
+    /* when file = NULL, an error has occurred OR the directory listing is end of
      * file */
     if (!sftp_dir_eof(dir)) {
         fprintf(stderr, "Error: %s\n", ssh_get_error(session));

examples/samplesshd-kbdint.c

@@ -369,9 +369,9 @@ int main(int argc, char **argv){
         }
     } while(!chan);
 
-    if(!chan) {
-        printf("Error: cleint did not ask for a channel session (%s)\n",
-                                                    ssh_get_error(session));
+    if (!chan) {
+        printf("Error: client did not ask for a channel session (%s)\n",
+               ssh_get_error(session));
         ssh_finalize();
         return 1;
     }

examples/ssh_X11_client.c

@@ -453,7 +453,7 @@ connect_local_xsocket(int display_number)
 
 
 static int
-x11_connect_display()
+x11_connect_display(void)
 {
 	int display_number;
 	const char *display = NULL;

examples/sshd_direct-tcpip.c

@@ -27,6 +27,9 @@ clients must be made or how a client should react.
 #ifdef HAVE_ARGP_H
 #include <argp.h>
 #endif
+#ifndef _WIN32
+#include <netinet/in.h>
+#endif
 #include <sys/types.h>
 #include <sys/socket.h>
 #include <stdbool.h>
@@ -92,7 +95,7 @@ cleanup_push(struct cleanup_node_struct** head_ref,
     // Allocate memory for node
     struct cleanup_node_struct *new_node = malloc(sizeof *new_node);
 
-    if (head_ref != NULL) {
+    if (*head_ref != NULL) {
         new_node->next = *head_ref;
     } else {
         new_node->next = NULL;
@@ -197,7 +200,7 @@ subsystem_request(UNUSED_PARAM(ssh_session session),
                   UNUSED_PARAM(void *userdata))
 {
     _ssh_log(SSH_LOG_PROTOCOL,
-             "=== subsystem_request", "Channel subsystem reqeuest: %s",
+             "=== subsystem_request", "Channel subsystem request: %s",
              subsystem);
     return 0;
 }
@@ -293,7 +296,7 @@ my_channel_eof_function(ssh_session session,
 
     _ssh_log(SSH_LOG_PROTOCOL,
              "=== my_channel_eof_function",
-             "Got EOF on channel. Shuting down write on socket (fd = %d).",
+             "Got EOF on channel. Shutting down write on socket (fd = %d).",
              *event_fd_data->p_fd);
 
     stack_socket_close(session, event_fd_data);

examples/sshnetcat.c

@@ -238,9 +238,10 @@ void set_pcap(ssh_session session){
 }
 
 void cleanup_pcap(void);
-void cleanup_pcap(){
+void cleanup_pcap(void)
+{
 	ssh_pcap_file_free(pcap);
-	pcap=NULL;
+	pcap = NULL;
 }
 #endif
 

include/libssh/agent.h

@@ -70,6 +70,10 @@
 #define SSH_AGENT_RSA_SHA2_256                   0x02
 #define SSH_AGENT_RSA_SHA2_512                   0x04
 
+#ifdef __cplusplus
+extern "C" {
+#endif
+
 struct ssh_agent_struct {
   struct ssh_socket_struct *sock;
   ssh_buffer ident;
@@ -115,4 +119,8 @@ ssh_string ssh_agent_sign_data(ssh_session session,
                                const ssh_key pubkey,
                                struct ssh_buffer_struct *data);
 
+#ifdef __cplusplus
+}
+#endif
+
 #endif /* __AGENT_H */

include/libssh/auth.h

@@ -23,6 +23,10 @@
 #include "config.h"
 #include "libssh/callbacks.h"
 
+#ifdef __cplusplus
+extern "C" {
+#endif
+
 SSH_PACKET_CALLBACK(ssh_packet_userauth_banner);
 SSH_PACKET_CALLBACK(ssh_packet_userauth_failure);
 SSH_PACKET_CALLBACK(ssh_packet_userauth_success);
@@ -100,4 +104,8 @@ enum ssh_auth_service_state_e {
   SSH_AUTH_SERVICE_DENIED,
 };
 
+#ifdef __cplusplus
+}
+#endif
+
 #endif /* AUTH_H_ */

include/libssh/bignum.h

@@ -25,9 +25,16 @@
 #include "libssh/libgcrypt.h"
 #include "libssh/libmbedcrypto.h"
 
+#ifdef __cplusplus
+extern "C" {
+#endif
+
 bignum ssh_make_string_bn(ssh_string string);
 ssh_string ssh_make_bignum_string(bignum num);
 void ssh_print_bignum(const char *which, const_bignum num);
 
+#ifdef __cplusplus
+}
+#endif
 
 #endif /* BIGNUM_H_ */

include/libssh/bind.h

@@ -25,6 +25,10 @@
 #include "libssh/kex.h"
 #include "libssh/session.h"
 
+#ifdef __cplusplus
+extern "C" {
+#endif
+
 struct ssh_bind_struct {
   struct ssh_common_struct common; /* stuff common to ssh_bind and ssh_session */
   struct ssh_bind_callbacks_struct *bind_callbacks;
@@ -57,5 +61,8 @@ struct ssh_bind_struct {
 struct ssh_poll_handle_struct *ssh_bind_get_poll(struct ssh_bind_struct
     *sshbind);
 
+#ifdef __cplusplus
+}
+#endif
 
 #endif /* BIND_H_ */

include/libssh/bind_config.h

@@ -28,6 +28,10 @@
 
 #include "libssh/server.h"
 
+#ifdef __cplusplus
+extern "C" {
+#endif
+
 enum ssh_bind_config_opcode_e {
     /* Known but not allowed in Match block */
     BIND_CFG_NOT_ALLOWED_IN_MATCH = -4,
@@ -71,4 +75,8 @@ int ssh_bind_config_parse_file(ssh_bind sshbind, const char *filename);
  */
 int ssh_bind_config_parse_string(ssh_bind bind, const char *input);
 
+#ifdef __cplusplus
+}
+#endif
+
 #endif /* BIND_CONFIG_H_ */

include/libssh/blf.h

@@ -49,6 +49,10 @@
 #define BLF_MAXKEYLEN ((BLF_N-2)*4)	/* 448 bits */
 #define BLF_MAXUTILIZED ((BLF_N+2)*4)	/* 576 bits */
 
+#ifdef __cplusplus
+extern "C" {
+#endif
+
 /* Blowfish context */
 typedef struct BlowfishContext {
 	uint32_t S[4][256];	/* S-Boxes */
@@ -84,4 +88,9 @@ void ssh_blf_cbc_decrypt(ssh_blf_ctx *, uint8_t *, uint8_t *, uint32_t);
 uint32_t Blowfish_stream2word(const uint8_t *, uint16_t , uint16_t *);
 
 #endif /* !defined(HAVE_BCRYPT_PBKDF) && !defined(HAVE_BLH_H) */
+
+#ifdef __cplusplus
+}
+#endif
+
 #endif /* _BLF_H */

include/libssh/buffer.h

@@ -27,6 +27,10 @@
 
 #define SSH_BUFFER_PACK_END ((uint32_t) 0x4f65feb3)
 
+#ifdef __cplusplus
+extern "C" {
+#endif
+
 void ssh_buffer_set_secure(ssh_buffer buffer);
 int ssh_buffer_add_ssh_string(ssh_buffer buffer, ssh_string string);
 int ssh_buffer_add_u8(ssh_buffer buffer, uint8_t data);
@@ -74,4 +78,8 @@ ssh_string ssh_buffer_get_ssh_string(ssh_buffer buffer);
 uint32_t ssh_buffer_pass_bytes_end(ssh_buffer buffer, uint32_t len);
 uint32_t ssh_buffer_pass_bytes(ssh_buffer buffer, uint32_t len);
 
+#ifdef __cplusplus
+}
+#endif
+
 #endif /* BUFFER_H_ */

include/libssh/callbacks.h

@@ -81,9 +81,9 @@ typedef void (*ssh_log_callback) (ssh_session session, int priority,
  *
  * @param priority  Priority of the log, the smaller being the more important.
  *
- * @param function  The function name calling the the logging fucntions.
+ * @param function  The function name calling the logging functions.
  *
- * @param message   The actual message
+ * @param buffer   The actual message
  *
  * @param userdata Userdata to be passed to the callback function.
  */
@@ -117,6 +117,8 @@ typedef void (*ssh_global_request_callback) (ssh_session session,
  * sends back an X11 connection attempt. This is a client-side API
  * @param session current session handler
  * @param userdata Userdata to be passed to the callback function.
+ * @param originator_address    IP address of the machine who sent the request
+ * @param originator_port   port number of the machine who sent the request
  * @returns a valid ssh_channel handle if the request is to be allowed
  * @returns NULL if the request should not be allowed
  * @warning The channel pointer returned by this callback must be closed by the application.
@@ -268,7 +270,7 @@ typedef ssh_string (*ssh_gssapi_select_oid_callback) (ssh_session session, const
 		int n_oid, ssh_string *oids, void *userdata);
 
 /*
- * @brief handle the negociation of a security context, server side.
+ * @brief handle the negotiation of a security context, server side.
  * @param session current session handler
  * @param[in] input_token input token provided by client
  * @param[out] output_token output of the gssapi accept_sec_context method,
@@ -397,7 +399,7 @@ struct ssh_socket_callbacks_struct {
    */
   ssh_callback_int_int exception;
   /** This function is called when the ssh_socket_connect was used on the socket
-   * on nonblocking state, and the connection successed.
+   * on nonblocking state, and the connection succeeded.
    */
   ssh_callback_int_int connected;
 };
@@ -625,6 +627,7 @@ typedef void (*ssh_channel_signal_callback) (ssh_session session,
  * @brief SSH channel exit status callback. Called when a channel has received an exit status
  * @param session Current session handler
  * @param channel the actual channel
+ * @param exit_status Exit status of the ran command
  * @param userdata Userdata to be passed to the callback function.
  */
 typedef void (*ssh_channel_exit_status_callback) (ssh_session session,
@@ -637,7 +640,7 @@ typedef void (*ssh_channel_exit_status_callback) (ssh_session session,
  * @param session Current session handler
  * @param channel the actual channel
  * @param signal the signal name (without the SIG prefix)
- * @param core a boolean telling wether a core has been dumped or not
+ * @param core a boolean telling whether a core has been dumped or not
  * @param errmsg the description of the exception
  * @param lang the language of the description (format: RFC 3066)
  * @param userdata Userdata to be passed to the callback function.
@@ -652,12 +655,13 @@ typedef void (*ssh_channel_exit_signal_callback) (ssh_session session,
 
 /**
  * @brief SSH channel PTY request from a client.
+ * @param session the session
  * @param channel the channel
  * @param term The type of terminal emulation
  * @param width width of the terminal, in characters
  * @param height height of the terminal, in characters
  * @param pxwidth width of the terminal, in pixels
- * @param pxheight height of the terminal, in pixels
+ * @param pwheight height of the terminal, in pixels
  * @param userdata Userdata to be passed to the callback function.
  * @returns 0 if the pty request is accepted
  * @returns -1 if the request is denied
@@ -671,6 +675,7 @@ typedef int (*ssh_channel_pty_request_callback) (ssh_session session,
 
 /**
  * @brief SSH channel Shell request from a client.
+ * @param session the session
  * @param channel the channel
  * @param userdata Userdata to be passed to the callback function.
  * @returns 0 if the shell request is accepted
@@ -683,6 +688,7 @@ typedef int (*ssh_channel_shell_request_callback) (ssh_session session,
  * @brief SSH auth-agent-request from the client. This request is
  * sent by a client when agent forwarding is available.
  * Server is free to ignore this callback, no answer is expected.
+ * @param session the session
  * @param channel the channel
  * @param userdata Userdata to be passed to the callback function.
  */
@@ -694,7 +700,12 @@ typedef void (*ssh_channel_auth_agent_req_callback) (ssh_session session,
  * @brief SSH X11 request from the client. This request is
  * sent by a client when X11 forwarding is requested(and available).
  * Server is free to ignore this callback, no answer is expected.
+ * @param session the session
  * @param channel the channel
+ * @param single_connection If true, only one channel should be forwarded
+ * @param auth_protocol The X11 authentication method to be used
+ * @param auth_cookie   Authentication cookie encoded hexadecimal
+ * @param screen_number Screen number
  * @param userdata Userdata to be passed to the callback function.
  */
 typedef void (*ssh_channel_x11_req_callback) (ssh_session session,
@@ -706,11 +717,12 @@ typedef void (*ssh_channel_x11_req_callback) (ssh_session session,
                                             void *userdata);
 /**
  * @brief SSH channel PTY windows change (terminal size) from a client.
+ * @param session the session
  * @param channel the channel
  * @param width width of the terminal, in characters
  * @param height height of the terminal, in characters
  * @param pxwidth width of the terminal, in pixels
- * @param pxheight height of the terminal, in pixels
+ * @param pwheight height of the terminal, in pixels
  * @param userdata Userdata to be passed to the callback function.
  * @returns 0 if the pty request is accepted
  * @returns -1 if the request is denied
@@ -723,6 +735,7 @@ typedef int (*ssh_channel_pty_window_change_callback) (ssh_session session,
 
 /**
  * @brief SSH channel Exec request from a client.
+ * @param session the session
  * @param channel the channel
  * @param command the shell command to be executed
  * @param userdata Userdata to be passed to the callback function.
@@ -736,6 +749,7 @@ typedef int (*ssh_channel_exec_request_callback) (ssh_session session,
 
 /**
  * @brief SSH channel environment request from a client.
+ * @param session the session
  * @param channel the channel
  * @param env_name name of the environment value to be set
  * @param env_value value of the environment value to be set
@@ -752,6 +766,7 @@ typedef int (*ssh_channel_env_request_callback) (ssh_session session,
                                             void *userdata);
 /**
  * @brief SSH channel subsystem request from a client.
+ * @param session the session
  * @param channel the channel
  * @param subsystem the subsystem required
  * @param userdata Userdata to be passed to the callback function.
@@ -766,6 +781,8 @@ typedef int (*ssh_channel_subsystem_request_callback) (ssh_session session,
 /**
  * @brief SSH channel write will not block (flow control).
  *
+ * @param session the session
+ *
  * @param channel the channel
  *
  * @param[in] bytes size of the remote window in bytes. Writing as much data
@@ -917,7 +934,7 @@ LIBSSH_API int ssh_remove_channel_callbacks(ssh_channel channel,
 
 /** @} */
 
-/** @group libssh_threads
+/** @addtogroup libssh_threads
  * @{
  */
 
@@ -989,7 +1006,7 @@ LIBSSH_API struct ssh_threads_callbacks_struct *ssh_threads_get_noop(void);
  *
  * @param[in]  cb  The callback to set.
  *
- * @return         0 on success, < 0 on errror.
+ * @return         0 on success, < 0 on error.
  */
 LIBSSH_API int ssh_set_log_callback(ssh_logging_callback cb);
 

include/libssh/chacha.h

@@ -18,6 +18,10 @@ struct chacha_ctx {
 #define CHACHA_CTRLEN     8
 #define CHACHA_STATELEN   (CHACHA_NONCELEN+CHACHA_CTRLEN)
 
+#ifdef __cplusplus
+extern "C" {
+#endif
+
 void chacha_keysetup(struct chacha_ctx *x, const uint8_t *k, uint32_t kbits)
 #ifdef HAVE_GCC_BOUNDED_ATTRIBUTE
     __attribute__((__bounded__(__minbytes__, 2, CHACHA_MINKEYLEN)))
@@ -37,4 +41,8 @@ void chacha_encrypt_bytes(struct chacha_ctx *x, const uint8_t *m,
 #endif
     ;
 
+#ifdef __cplusplus
+}
+#endif
+
 #endif    /* CHACHA_H */

include/libssh/channels.h

@@ -22,6 +22,10 @@
 #define CHANNELS_H_
 #include "libssh/priv.h"
 
+#ifdef __cplusplus
+extern "C" {
+#endif
+
 /**  @internal
  * Describes the different possible states in a
  * outgoing (client) channel request
@@ -35,7 +39,7 @@ enum ssh_channel_request_state_e {
 	SSH_CHANNEL_REQ_STATE_ACCEPTED,
 	/** A request has been replied and refused */
 	SSH_CHANNEL_REQ_STATE_DENIED,
-	/** A request has been replied and an error happend */
+	/** A request has been replied and an error happened */
 	SSH_CHANNEL_REQ_STATE_ERROR
 };
 
@@ -109,4 +113,8 @@ int ssh_global_request(ssh_session session,
                        ssh_buffer buffer,
                        int reply);
 
+#ifdef __cplusplus
+}
+#endif
+
 #endif /* CHANNELS_H_ */

include/libssh/config_parser.h

@@ -26,6 +26,10 @@
 #ifndef CONFIG_PARSER_H_
 #define CONFIG_PARSER_H_
 
+#ifdef __cplusplus
+extern "C" {
+#endif
+
 char *ssh_config_get_cmd(char **str);
 
 char *ssh_config_get_token(char **str);
@@ -54,4 +58,8 @@ int ssh_config_parse_uri(const char *tok,
         char **hostname,
         char **port);
 
+#ifdef __cplusplus
+}
+#endif
+
 #endif /* LIBSSH_CONFIG_H_ */

include/libssh/crypto.h

@@ -216,12 +216,23 @@ struct ssh_cipher_struct {
     void (*cleanup)(struct ssh_cipher_struct *cipher);
 };
 
+#ifdef __cplusplus
+extern "C" {
+#endif
+
 const struct ssh_cipher_struct *ssh_get_chacha20poly1305_cipher(void);
 int sshkdf_derive_key(struct ssh_crypto_struct *crypto,
                       unsigned char *key, size_t key_len,
-                      int key_type, unsigned char *output,
+                      uint8_t key_type, unsigned char *output,
                       size_t requested_len);
 
 int secure_memcmp(const void *s1, const void *s2, size_t n);
+#ifdef HAVE_LIBCRYPTO
+ENGINE *pki_get_engine(void);
+#endif /* HAVE_LIBCRYPTO */
+
+#ifdef __cplusplus
+}
+#endif
 
 #endif /* _CRYPTO_H_ */

include/libssh/curve25519.h

@@ -33,6 +33,10 @@
 #define crypto_scalarmult crypto_scalarmult_curve25519
 #else
 
+#ifdef __cplusplus
+extern "C" {
+#endif
+
 #define CURVE25519_PUBKEY_SIZE 32
 #define CURVE25519_PRIVKEY_SIZE 32
 int crypto_scalarmult_base(unsigned char *q, const unsigned char *n);
@@ -48,9 +52,14 @@ typedef unsigned char ssh_curve25519_privkey[CURVE25519_PRIVKEY_SIZE];
 
 
 int ssh_client_curve25519_init(ssh_session session);
+void ssh_client_curve25519_remove_callbacks(ssh_session session);
 
 #ifdef WITH_SERVER
 void ssh_server_curve25519_init(ssh_session session);
 #endif /* WITH_SERVER */
 
+#ifdef __cplusplus
+}
+#endif
+
 #endif /* CURVE25519_H_ */

include/libssh/dh-gex.h

@@ -23,10 +23,19 @@
 #ifndef SRC_DH_GEX_H_
 #define SRC_DH_GEX_H_
 
+#ifdef __cplusplus
+extern "C" {
+#endif
+
 int ssh_client_dhgex_init(ssh_session session);
+void ssh_client_dhgex_remove_callbacks(ssh_session session);
 
 #ifdef WITH_SERVER
 void ssh_server_dhgex_init(ssh_session session);
 #endif /* WITH_SERVER */
 
+#ifdef __cplusplus
+}
+#endif
+
 #endif /* SRC_DH_GEX_H_ */

include/libssh/dh.h

@@ -30,6 +30,10 @@ struct dh_ctx;
 #define DH_CLIENT_KEYPAIR 0
 #define DH_SERVER_KEYPAIR 1
 
+#ifdef __cplusplus
+extern "C" {
+#endif
+
 /* functions implemented by crypto backends */
 int ssh_dh_init_common(struct ssh_crypto_struct *crypto);
 void ssh_dh_cleanup(struct ssh_crypto_struct *crypto);
@@ -53,7 +57,7 @@ int ssh_dh_keypair_get_keys(struct dh_ctx *ctx, int peer,
                             bignum *priv, bignum *pub);
 #endif /* OPENSSL_VERSION_NUMBER */
 int ssh_dh_keypair_set_keys(struct dh_ctx *ctx, int peer,
-                            const bignum priv, const bignum pub);
+                            bignum priv, bignum pub);
 
 int ssh_dh_compute_shared_secret(struct dh_ctx *ctx, int local, int remote,
                                  bignum *dest);
@@ -73,8 +77,10 @@ int ssh_dh_get_current_server_publickey_blob(ssh_session session,
 ssh_key ssh_dh_get_next_server_publickey(ssh_session session);
 int ssh_dh_get_next_server_publickey_blob(ssh_session session,
                                           ssh_string *pubkey_blob);
+int dh_handshake(ssh_session session);
 
 int ssh_client_dh_init(ssh_session session);
+void ssh_client_dh_remove_callbacks(ssh_session session);
 #ifdef WITH_SERVER
 void ssh_server_dh_init(ssh_session session);
 #endif /* WITH_SERVER */
@@ -82,4 +88,8 @@ int ssh_server_dh_process_init(ssh_session session, ssh_buffer packet);
 int ssh_fallback_group(uint32_t pmax, bignum *p, bignum *g);
 bool ssh_dh_is_known_group(bignum modulus, bignum generator);
 
+#ifdef __cplusplus
+}
+#endif
+
 #endif /* DH_H_ */

include/libssh/ecdh.h

@@ -42,9 +42,14 @@
 #define HAVE_ECDH 1
 #endif
 
+#ifdef __cplusplus
+extern "C" {
+#endif
+
 extern struct ssh_packet_callbacks_struct ssh_ecdh_client_callbacks;
 /* Backend-specific functions.  */
 int ssh_client_ecdh_init(ssh_session session);
+void ssh_client_ecdh_remove_callbacks(ssh_session session);
 int ecdh_build_k(ssh_session session);
 
 #ifdef WITH_SERVER
@@ -53,4 +58,8 @@ void ssh_server_ecdh_init(ssh_session session);
 SSH_PACKET_CALLBACK(ssh_packet_server_ecdh_init);
 #endif /* WITH_SERVER */
 
+#ifdef __cplusplus
+}
+#endif
+
 #endif /* ECDH_H_ */

include/libssh/ed25519.h

@@ -24,10 +24,10 @@
 
 /**
  * @defgroup ed25519 ed25519 API
- * @internal
  * @brief API for DJB's ed25519
  *
- * @{ */
+ * @{
+ */
 
 #define ED25519_PK_LEN 32
 #define ED25519_SK_LEN 64
@@ -37,6 +37,10 @@ typedef uint8_t ed25519_pubkey[ED25519_PK_LEN];
 typedef uint8_t ed25519_privkey[ED25519_SK_LEN];
 typedef uint8_t ed25519_signature[ED25519_SIG_LEN];
 
+#ifdef __cplusplus
+extern "C" {
+#endif
+
 /** @internal
  * @brief generate an ed25519 key pair
  * @param[out] pk generated public key
@@ -76,4 +80,8 @@ int crypto_sign_ed25519_open(
     const ed25519_pubkey pk);
 
 /** @} */
+#ifdef __cplusplus
+}
+#endif
+
 #endif /* ED25519_H_ */

include/libssh/fe25519.h

@@ -33,6 +33,10 @@ typedef struct {
   uint32_t v[32];
 } fe25519;
 
+#ifdef __cplusplus
+extern "C" {
+#endif
+
 void fe25519_freeze(fe25519 *r);
 
 void fe25519_unpack(fe25519 *r, const unsigned char x[32]);
@@ -65,4 +69,8 @@ void fe25519_invert(fe25519 *r, const fe25519 *x);
 
 void fe25519_pow2523(fe25519 *r, const fe25519 *x);
 
+#ifdef __cplusplus
+}
+#endif
+
 #endif

include/libssh/ge25519.h

@@ -28,6 +28,10 @@ typedef struct
   fe25519 t;
 } ge25519;
 
+#ifdef __cplusplus
+extern "C" {
+#endif
+
 extern const ge25519 ge25519_base;
 
 int ge25519_unpackneg_vartime(ge25519 *r, const unsigned char p[32]);
@@ -40,4 +44,8 @@ void ge25519_double_scalarmult_vartime(ge25519 *r, const ge25519 *p1, const sc25
 
 void ge25519_scalarmult_base(ge25519 *r, const sc25519 *s);
 
+#ifdef __cplusplus
+}
+#endif
+
 #endif

include/libssh/gssapi.h

@@ -29,6 +29,10 @@
 
 typedef struct ssh_gssapi_struct *ssh_gssapi;
 
+#ifdef __cplusplus
+extern "C" {
+#endif
+
 #ifdef WITH_SERVER
 int ssh_gssapi_handle_userauth(ssh_session session, const char *user, uint32_t n_oid, ssh_string *oids);
 SSH_PACKET_CALLBACK(ssh_packet_userauth_gssapi_token_server);
@@ -42,4 +46,8 @@ SSH_PACKET_CALLBACK(ssh_packet_userauth_gssapi_response);
 
 int ssh_gssapi_auth_mic(ssh_session session);
 
+#ifdef __cplusplus
+}
+#endif
+
 #endif /* GSSAPI_H */

include/libssh/kex.h

@@ -31,9 +31,13 @@ struct ssh_kex_struct {
     char *methods[SSH_KEX_METHODS];
 };
 
+#ifdef __cplusplus
+extern "C" {
+#endif
+
 SSH_PACKET_CALLBACK(ssh_packet_kexinit);
 
-int ssh_send_kex(ssh_session session, int server_kex);
+int ssh_send_kex(ssh_session session);
 void ssh_list_kex(struct ssh_kex_struct *kex);
 int ssh_set_client_kex(ssh_session session);
 int ssh_kex_select_methods(ssh_session session);
@@ -56,4 +60,8 @@ int ssh_hashbufin_add_cookie(ssh_session session, unsigned char *cookie);
 int ssh_hashbufout_add_cookie(ssh_session session);
 int ssh_generate_session_keys(ssh_session session);
 
+#ifdef __cplusplus
+}
+#endif
+
 #endif /* KEX_H_ */

include/libssh/keys.h

@@ -62,9 +62,17 @@ struct ssh_private_key_struct {
 #endif
 };
 
+#ifdef __cplusplus
+extern "C" {
+#endif
+
 const char *ssh_type_to_char(int type);
 int ssh_type_from_name(const char *name);
 
 ssh_public_key publickey_from_string(ssh_session session, ssh_string pubkey_s);
 
+#ifdef __cplusplus
+}
+#endif
+
 #endif /* KEYS_H_ */

include/libssh/knownhosts.h

@@ -22,6 +22,10 @@
 #ifndef SSH_KNOWNHOSTS_H_
 #define SSH_KNOWNHOSTS_H_
 
+#ifdef __cplusplus
+extern "C" {
+#endif
+
 struct ssh_list *ssh_known_hosts_get_algorithms(ssh_session session);
 char *ssh_known_hosts_get_algorithms_names(ssh_session session);
 enum ssh_known_hosts_e
@@ -29,4 +33,8 @@ ssh_session_get_known_hosts_entry_file(ssh_session session,
                                        const char *filename,
                                        struct ssh_knownhosts_entry **pentry);
 
+#ifdef __cplusplus
+}
+#endif
+
 #endif /* SSH_KNOWNHOSTS_H_ */

include/libssh/legacy.h

@@ -31,6 +31,10 @@
 typedef struct ssh_private_key_struct* ssh_private_key;
 typedef struct ssh_public_key_struct* ssh_public_key;
 
+#ifdef __cplusplus
+extern "C" {
+#endif
+
 LIBSSH_API int ssh_auth_list(ssh_session session);
 LIBSSH_API int ssh_userauth_offer_pubkey(ssh_session session, const char *username, int type, ssh_string publickey);
 LIBSSH_API int ssh_userauth_pubkey(ssh_session session, const char *username, ssh_string publickey, ssh_private_key privatekey);
@@ -117,4 +121,8 @@ SSH_DEPRECATED LIBSSH_API size_t string_len(ssh_string str);
 SSH_DEPRECATED LIBSSH_API ssh_string string_new(size_t size);
 SSH_DEPRECATED LIBSSH_API char *string_to_char(ssh_string str);
 
+#ifdef __cplusplus
+}
+#endif
+
 #endif /* LEGACY_H_ */

include/libssh/libgcrypt.h

@@ -104,6 +104,10 @@ int ssh_gcry_rand_range(bignum rnd, bignum max);
     } while(0)
 /* Helper functions for data conversions.  */
 
+#ifdef __cplusplus
+extern "C" {
+#endif
+
 /* Extract an MPI from the given s-expression SEXP named NAME which is
    encoded using INFORMAT and store it in a newly allocated ssh_string
    encoded using OUTFORMAT.  */
@@ -114,6 +118,10 @@ ssh_string ssh_sexp_extract_mpi(const gcry_sexp_t sexp,
 
 #define ssh_fips_mode() false
 
+#ifdef __cplusplus
+}
+#endif
+
 #endif /* HAVE_LIBGCRYPT */
 
 #endif /* LIBGCRYPT_H_ */

include/libssh/libmbedcrypto.h

@@ -73,6 +73,10 @@ struct mbedtls_ecdsa_sig {
     bignum s;
 };
 
+#ifdef __cplusplus
+extern "C" {
+#endif
+
 bignum ssh_mbedcry_bn_new(void);
 void ssh_mbedcry_bn_free(bignum num);
 unsigned char *ssh_mbedcry_bn2num(const_bignum num, int radix);
@@ -136,5 +140,9 @@ ssh_string make_ecpoint_string(const mbedtls_ecp_group *g, const
 
 #define ssh_fips_mode() false
 
+#ifdef __cplusplus
+}
+#endif
+
 #endif /* HAVE_LIBMBEDCRYPTO */
 #endif /* LIBMBEDCRYPTO_H_ */

include/libssh/libssh.h

@@ -1,7 +1,7 @@
 /*
  * This file is part of the SSH Library
  *
- * Copyright (c) 2003-2022 by Aris Adamantiadis and the libssh team
+ * Copyright (c) 2003-2023 by Aris Adamantiadis and the libssh team
  *
  * This library is free software; you can redistribute it and/or
  * modify it under the terms of the GNU Lesser General Public
@@ -82,7 +82,7 @@
 #define PRINTF_ATTRIBUTE(a,b)
 #endif /* __GNUC__ */
 
-#ifdef __GNUC__
+#if !defined(SSH_SUPPRESS_DEPRECATED) && defined(__GNUC__)
 #define SSH_DEPRECATED __attribute__ ((deprecated))
 #else
 #define SSH_DEPRECATED
@@ -357,7 +357,7 @@ enum {
 #define SSH_LOG_WARN 1
 /** Get some information what's going on */
 #define SSH_LOG_INFO 2
-/** Get detailed debuging information **/
+/** Get detailed debugging information **/
 #define SSH_LOG_DEBUG 3
 /** Get trace output, packet information, ... */
 #define SSH_LOG_TRACE 4

include/libssh/messages.h

@@ -92,6 +92,10 @@ struct ssh_message_struct {
     struct ssh_global_request global_request;
 };
 
+#ifdef __cplusplus
+extern "C" {
+#endif
+
 SSH_PACKET_CALLBACK(ssh_packet_channel_open);
 SSH_PACKET_CALLBACK(ssh_packet_global_request);
 
@@ -104,4 +108,8 @@ int ssh_message_handle_channel_request(ssh_session session, ssh_channel channel,
     const char *request, uint8_t want_reply);
 ssh_message ssh_message_pop_head(ssh_session session);
 
+#ifdef __cplusplus
+}
+#endif
+
 #endif /* MESSAGES_H_ */

include/libssh/misc.h

@@ -21,6 +21,10 @@
 #ifndef MISC_H_
 #define MISC_H_
 
+#ifdef __cplusplus
+extern "C" {
+#endif
+
 /* in misc.c */
 /* gets the user home dir. */
 char *ssh_get_user_home_dir(void);
@@ -75,7 +79,7 @@ const void *_ssh_list_pop_head(struct ssh_list *list);
 
 /** @brief fetch the head element of a list and remove it from list
  * @param type type of the element to return
- * @param list the ssh_list to use
+ * @param ssh_list the ssh_list to use
  * @return the first element of the list, or NULL if the list is empty
  */
 #define ssh_list_pop_head(type, ssh_list)\
@@ -96,7 +100,11 @@ int ssh_mkdirs(const char *pathname, mode_t mode);
 
 int ssh_quote_file_name(const char *file_name, char *buf, size_t buf_len);
 int ssh_newline_vis(const char *string, char *buf, size_t buf_len);
-int ssh_tmpname(char *template);
+int ssh_tmpname(char *name);
 
 char *ssh_strreplace(const char *src, const char *pattern, const char *repl);
+#ifdef __cplusplus
+}
+#endif
+
 #endif /* MISC_H_ */

include/libssh/options.h

@@ -21,6 +21,10 @@
 #ifndef _OPTIONS_H
 #define _OPTIONS_H
 
+#ifdef __cplusplus
+extern "C" {
+#endif
+
 int ssh_config_parse_file(ssh_session session, const char *filename);
 int ssh_config_parse_string(ssh_session session, const char *input);
 int ssh_options_set_algo(ssh_session session,
@@ -28,4 +32,8 @@ int ssh_options_set_algo(ssh_session session,
                          const char *list);
 int ssh_options_apply(ssh_session session);
 
+#ifdef __cplusplus
+}
+#endif
+
 #endif /* _OPTIONS_H */

include/libssh/packet.h

@@ -51,6 +51,10 @@ enum ssh_packet_filter_result_e {
 
 int ssh_packet_send(ssh_session session);
 
+#ifdef __cplusplus
+extern "C" {
+#endif
+
 SSH_PACKET_CALLBACK(ssh_packet_unimplemented);
 SSH_PACKET_CALLBACK(ssh_packet_disconnect_callback);
 SSH_PACKET_CALLBACK(ssh_packet_ignore_callback);
@@ -88,4 +92,8 @@ int ssh_packet_set_newkeys(ssh_session session,
 struct ssh_crypto_struct *ssh_packet_get_current_crypto(ssh_session session,
         enum ssh_crypto_direction_e direction);
 
+#ifdef __cplusplus
+}
+#endif
+
 #endif /* PACKET_H_ */

include/libssh/pcap.h

@@ -27,6 +27,10 @@
 #ifdef WITH_PCAP
 typedef struct ssh_pcap_context_struct* ssh_pcap_context;
 
+#ifdef __cplusplus
+extern "C" {
+#endif
+
 int ssh_pcap_file_write_packet(ssh_pcap_file pcap, ssh_buffer packet, uint32_t original_len);
 
 ssh_pcap_context ssh_pcap_context_new(ssh_session session);
@@ -41,5 +45,9 @@ int ssh_pcap_context_write(ssh_pcap_context,enum ssh_pcap_direction direction, v
 		uint32_t len, uint32_t origlen);
 
 
+#ifdef __cplusplus
+}
+#endif
+
 #endif /* WITH_PCAP */
 #endif /* PCAP_H_ */

include/libssh/pki.h

@@ -33,8 +33,8 @@
 #include <openssl/evp.h>
 #endif
 #include "libssh/crypto.h"
-#ifdef HAVE_OPENSSL_ED25519
-/* If using OpenSSL implementation, define the signature lenght which would be
+#if defined(HAVE_LIBCRYPTO) && defined(HAVE_OPENSSL_ED25519)
+/* If using OpenSSL implementation, define the signature length which would be
  * defined in libssh/ed25519.h otherwise */
 #define ED25519_SIG_LEN 64
 #else
@@ -78,9 +78,11 @@ struct ssh_key_struct {
 # else
     void *ecdsa;
 # endif /* HAVE_OPENSSL_EC_H */
-    EVP_PKEY *key; /* Saving the OpenSSL context here to save time while converting*/
+    /* This holds either ENGINE key for PKCS#11 support or just key in
+     * high-level format required by OpenSSL 3.0 */
+    EVP_PKEY *key;
 #endif /* HAVE_LIBGCRYPT */
-#ifdef HAVE_OPENSSL_ED25519
+#if defined(HAVE_LIBCRYPTO) && defined(HAVE_OPENSSL_ED25519)
     uint8_t *ed25519_pubkey;
     uint8_t *ed25519_privkey;
 #else
@@ -104,7 +106,7 @@ struct ssh_signature_struct {
     ssh_string rsa_sig;
     struct mbedtls_ecdsa_sig ecdsa_sig;
 #endif /* HAVE_LIBGCRYPT */
-#ifndef HAVE_OPENSSL_ED25519
+#if !defined(HAVE_LIBCRYPTO) || !defined(HAVE_OPENSSL_ED25519)
     ed25519_signature *ed25519_sig;
 #endif
     ssh_string raw_sig;
@@ -116,6 +118,10 @@ struct ssh_signature_struct {
 
 typedef struct ssh_signature_struct *ssh_signature;
 
+#ifdef __cplusplus
+extern "C" {
+#endif
+
 /* SSH Key Functions */
 void ssh_key_clean (ssh_key key);
 
@@ -187,7 +193,13 @@ bool ssh_key_size_allowed(ssh_session session, ssh_key key);
 int ssh_key_size(ssh_key key);
 
 /* PKCS11 URI function to check if filename is a path or a PKCS11 URI */
+#ifdef WITH_PKCS11_URI
 bool ssh_pki_is_uri(const char *filename);
 char *ssh_pki_export_pub_uri_from_priv_uri(const char *priv_uri);
+#endif /* WITH_PKCS11_URI */
+
+#ifdef __cplusplus
+}
+#endif
 
 #endif /* PKI_H_ */

include/libssh/pki_priv.h

@@ -23,6 +23,10 @@
 
 #include "libssh/pki.h"
 
+#ifdef __cplusplus
+extern "C" {
+#endif
+
 /* defined in bcrypt_pbkdf.c */
 int bcrypt_pbkdf(const char *pass,
                  size_t passlen,
@@ -49,6 +53,8 @@ enum ssh_key_e {
   SSH_KEY_PRIVATE
 };
 
+void pki_key_clean(ssh_key key);
+
 int pki_key_ecdsa_nid_from_name(const char *name);
 const char *pki_key_ecdsa_nid_to_name(int nid);
 const char *ssh_key_signature_to_char(enum ssh_keytypes_e type,
@@ -147,7 +153,7 @@ int pki_ed25519_verify(const ssh_key pubkey, ssh_signature sig,
 int pki_ed25519_key_cmp(const ssh_key k1,
                 const ssh_key k2,
                 enum ssh_keycmp_e what);
-int pki_ed25519_key_dup(ssh_key new, const ssh_key key);
+int pki_ed25519_key_dup(ssh_key new_key, const ssh_key key);
 int pki_ed25519_public_key_to_blob(ssh_buffer buffer, ssh_key key);
 ssh_string pki_ed25519_signature_to_blob(ssh_signature sig);
 int pki_signature_from_ed25519_blob(ssh_signature sig, ssh_string sig_blob);
@@ -162,8 +168,14 @@ ssh_key ssh_pki_openssh_privkey_import(const char *text_key,
 ssh_string ssh_pki_openssh_privkey_export(const ssh_key privkey,
         const char *passphrase, ssh_auth_callback auth_fn, void *auth_data);
 
+#ifdef WITH_PKCS11_URI
 /* URI Function */
 int pki_uri_import(const char *uri_name, ssh_key *key, enum ssh_key_e key_type);
+#endif /* WITH_PKCS11_URI */
 
 bool ssh_key_size_allowed_rsa(int min_size, ssh_key key);
+#ifdef __cplusplus
+}
+#endif
+
 #endif /* PKI_PRIV_H_ */

include/libssh/poll.h

@@ -114,6 +114,10 @@ typedef unsigned long int nfds_t;
 #endif /* WIN32 */
 #endif /* HAVE_POLL */
 
+#ifdef __cplusplus
+extern "C" {
+#endif
+
 void ssh_poll_init(void);
 void ssh_poll_cleanup(void);
 int ssh_poll(ssh_pollfd_t *fds, nfds_t nfds, int timeout);
@@ -158,4 +162,8 @@ ssh_poll_ctx ssh_poll_get_default_ctx(ssh_session session);
 int ssh_event_add_poll(ssh_event event, ssh_poll_handle p);
 void ssh_event_remove_poll(ssh_event event, ssh_poll_handle p);
 
+#ifdef __cplusplus
+}
+#endif
+
 #endif /* POLL_H_ */

include/libssh/poly1305.h

@@ -7,6 +7,10 @@
 #define POLY1305_H
 #include "libssh/chacha20-poly1305-common.h"
 
+#ifdef __cplusplus
+extern "C" {
+#endif
+
 void poly1305_auth(uint8_t out[POLY1305_TAGLEN], const uint8_t *m, size_t inlen,
     const uint8_t key[POLY1305_KEYLEN])
 #ifdef HAVE_GCC_BOUNDED_ATTRIBUTE
@@ -16,4 +20,8 @@ void poly1305_auth(uint8_t out[POLY1305_TAGLEN], const uint8_t *m, size_t inlen,
 #endif
     ;
 
+#ifdef __cplusplus
+}
+#endif
+
 #endif	/* POLY1305_H */

include/libssh/priv.h

@@ -47,6 +47,10 @@
 # endif
 #endif /* !defined(HAVE_STRTOULL) */
 
+#ifdef __cplusplus
+extern "C" {
+#endif
+
 #if !defined(HAVE_STRNDUP)
 char *strndup(const char *s, size_t n);
 #endif /* ! HAVE_STRNDUP */
@@ -152,7 +156,9 @@ char *strndup(const char *s, size_t n);
 # endif /* _MSC_VER */
 
 struct timeval;
-int gettimeofday(struct timeval *__p, void *__t);
+int ssh_gettimeofday(struct timeval *__p, void *__t);
+
+#define gettimeofday ssh_gettimeofday
 
 #define _XCLOSESOCKET closesocket
 
@@ -432,4 +438,8 @@ bool is_ssh_initialized(void);
 #define SSH_ERRNO_MSG_MAX   1024
 char *ssh_strerror(int err_num, char *buf, size_t buflen);
 
+#ifdef __cplusplus
+}
+#endif
+
 #endif /* _LIBSSH_PRIV_H */

include/libssh/sc25519.h

@@ -35,6 +35,10 @@ typedef struct {
   uint32_t v[16];
 } shortsc25519;
 
+#ifdef __cplusplus
+extern "C" {
+#endif
+
 void sc25519_from32bytes(sc25519 *r, const unsigned char x[32]);
 
 void shortsc25519_from16bytes(shortsc25519 *r, const unsigned char x[16]);
@@ -71,4 +75,8 @@ void sc25519_window5(signed char r[51], const sc25519 *s);
 
 void sc25519_2interleave2(unsigned char r[127], const sc25519 *s1, const sc25519 *s2);
 
+#ifdef __cplusplus
+}
+#endif
+
 #endif

include/libssh/scp.h

@@ -47,9 +47,17 @@ struct ssh_scp_struct {
   int request_mode;
 };
 
+#ifdef __cplusplus
+extern "C" {
+#endif
+
 int ssh_scp_read_string(ssh_scp scp, char *buffer, size_t len);
 int ssh_scp_integer_mode(const char *mode);
 char *ssh_scp_string_mode(int mode);
 int ssh_scp_response(ssh_scp scp, char **response);
 
+#ifdef __cplusplus
+}
+#endif
+
 #endif

include/libssh/server.h

@@ -117,7 +117,7 @@ LIBSSH_API int ssh_bind_listen(ssh_bind ssh_bind_o);
  *
  * @param[in] userdata  A pointer to private data to pass to the callbacks.
  *
- * @return              SSH_OK on success, SSH_ERROR if an error occured.
+ * @return              SSH_OK on success, SSH_ERROR if an error occurred.
  *
  * @code
  *     struct ssh_callbacks_struct cb = {
@@ -280,7 +280,7 @@ LIBSSH_API int ssh_message_reply_default(ssh_message msg);
  *
  * @param[in] msg       The message to get the username from.
  *
- * @return              The username or NULL if an error occured.
+ * @return              The username or NULL if an error occurred.
  *
  * @see ssh_message_get()
  * @see ssh_message_type()
@@ -292,11 +292,11 @@ LIBSSH_API const char *ssh_message_auth_user(ssh_message msg);
  *
  * @param[in] msg       The message to get the password from.
  *
- * @return              The username or NULL if an error occured.
+ * @return              The username or NULL if an error occurred.
  *
  * @see ssh_message_get()
  * @see ssh_message_type()
- * @warning This function should not be used anymore as there is a
+ * @deprecated This function should not be used anymore as there is a
  * callback based server implementation now auth_password_function.
  */
 SSH_DEPRECATED LIBSSH_API const char *ssh_message_auth_password(ssh_message msg);
@@ -314,14 +314,19 @@ SSH_DEPRECATED LIBSSH_API const char *ssh_message_auth_password(ssh_message msg)
  * @see ssh_key_cmp()
  * @see ssh_message_get()
  * @see ssh_message_type()
- * @warning This function should not be used anymore as there is a
+ * @deprecated This function should not be used anymore as there is a
  * callback based server implementation auth_pubkey_function.
  */
 SSH_DEPRECATED LIBSSH_API ssh_key ssh_message_auth_pubkey(ssh_message msg);
 
 LIBSSH_API int ssh_message_auth_kbdint_is_response(ssh_message msg);
 
-/* Replaced by callback based server implementation auth_pubkey_function */
+/**
+ * @param[in] msg       The message to get the public key state from.
+ *
+ * @deprecated This function should not be used anymore as there is a
+ * callback based server implementation auth_pubkey_function
+ */
 SSH_DEPRECATED LIBSSH_API enum ssh_publickey_state_e ssh_message_auth_publickey_state(ssh_message msg);
 
 LIBSSH_API int ssh_message_auth_reply_success(ssh_message msg,int partial);

include/libssh/session.h

@@ -76,6 +76,11 @@ enum ssh_pending_call_e {
 /* Client successfully authenticated */
 #define SSH_SESSION_FLAG_AUTHENTICATED 2
 
+/* The KEXINIT message can be sent first by either of the parties so this flag
+ * indicates that the message was already sent to make sure it is sent and avoid
+ * sending it twice during key exchange to simplify the state machine. */
+#define SSH_SESSION_FLAG_KEXINIT_SENT 4
+
 /* codes to use with ssh_handle_packets*() */
 /* Infinite timeout */
 #define SSH_TIMEOUT_INFINITE -1
@@ -93,6 +98,12 @@ enum ssh_pending_call_e {
 #define SSH_OPT_FLAG_KBDINT_AUTH 0x4
 #define SSH_OPT_FLAG_GSSAPI_AUTH 0x8
 
+/* Escape expansion of different variables */
+#define SSH_OPT_EXP_FLAG_KNOWNHOSTS 0x1
+#define SSH_OPT_EXP_FLAG_GLOBAL_KNOWNHOSTS 0x2
+#define SSH_OPT_EXP_FLAG_PROXYCOMMAND 0x4
+#define SSH_OPT_EXP_FLAG_IDENTITY 0x8
+
 /* extensions flags */
 /* negotiation enabled */
 #define SSH_EXT_NEGOTIATION     0x01
@@ -132,10 +143,8 @@ struct ssh_session_struct {
     /* Extensions negotiated using RFC 8308 */
     uint32_t extensions;
 
-    ssh_string banner; /* that's the issue banner from
-                       the server */
-    char *discon_msg; /* disconnect message from
-                         the remote host */
+    ssh_string banner; /* that's the issue banner from the server */
+    char *peer_discon_msg; /* disconnect message from the remote host */
     char *disconnect_message; /* disconnect message to be set */
     ssh_buffer in_buffer;
     PACKET in_packet;
@@ -160,25 +169,33 @@ struct ssh_session_struct {
         uint32_t current_method;
     } auth;
 
+    /* Sending this flag before key exchange to save one round trip during the
+     * key exchange. This might make sense on high-latency connections.
+     * So far internal only for testing. Usable only on the client side --
+     * there is no key exchange method that would start with server message */
+    bool send_first_kex_follows;
     /*
      * RFC 4253, 7.1: if the first_kex_packet_follows flag was set in
      * the received SSH_MSG_KEXINIT, but the guess was wrong, this
      * field will be set such that the following guessed packet will
-     * be ignored.  Once that packet has been received and ignored,
-     * this field is cleared.
+     * be ignored on the receiving side.  Once that packet has been received and
+     * ignored, this field is cleared.
+     * On the sending side, this is set after we got peer KEXINIT message and we
+     * need to resend the initial message of the negotiated KEX algorithm.
      */
-    int first_kex_follows_guess_wrong;
+    bool first_kex_follows_guess_wrong;
 
     ssh_buffer in_hashbuf;
     ssh_buffer out_hashbuf;
     struct ssh_crypto_struct *current_crypto;
-    struct ssh_crypto_struct *next_crypto;  /* next_crypto is going to be used after a SSH2_MSG_NEWKEYS */
+    /* next_crypto is going to be used after a SSH2_MSG_NEWKEYS */
+    struct ssh_crypto_struct *next_crypto;
 
     struct ssh_list *channels; /* linked list of channels */
     uint32_t maxchannel;
     ssh_agent agent; /* ssh agent */
 
-/* keyb interactive data */
+    /* keyboard interactive data */
     struct ssh_kbdint_struct *kbdint;
     struct ssh_gssapi_struct *gssapi;
 
@@ -195,7 +212,8 @@ struct ssh_session_struct {
 
     /* auths accepted by server */
     struct ssh_list *ssh_message_list; /* list of delayed SSH messages */
-    int (*ssh_message_callback)( struct ssh_session_struct *session, ssh_message msg, void *userdata);
+    int (*ssh_message_callback)(struct ssh_session_struct *session,
+                                ssh_message msg, void *userdata);
     void *ssh_message_callback_data;
     ssh_server_callbacks server_callbacks;
     void (*ssh_connection_callback)( struct ssh_session_struct *session);
@@ -209,6 +227,7 @@ struct ssh_session_struct {
 #endif
     struct {
         struct ssh_list *identity;
+        struct ssh_list *identity_non_exp;
         char *username;
         char *host;
         char *bindaddr; /* bind the client to an ip addr */
@@ -223,7 +242,7 @@ struct ssh_session_struct {
         char *agent_socket;
         unsigned long timeout; /* seconds */
         unsigned long timeout_usec;
-        unsigned int port;
+        uint16_t port;
         socket_t fd;
         int StrictHostKeyChecking;
         char compressionlevel;
@@ -231,6 +250,7 @@ struct ssh_session_struct {
         char *gss_client_identity;
         int gss_delegate_creds;
         int flags;
+        int exp_flags;
         int nodelay;
         bool config_processed;
         uint8_t options_seen[SOC_MAX];

include/libssh/sftp.h

@@ -681,6 +681,11 @@ LIBSSH_API int sftp_rename(sftp_session sftp, const char *original, const  char
 /**
  * @brief Set file attributes on a file, directory or symbolic link.
  *
+ * Note, that this function can only set time values using 32 bit values due to
+ * the restrictions in the SFTP protocol version 3 implemented by libssh.
+ * The support for 64 bit time values was introduced in SFTP version 5, which is
+ * not implemented by libssh nor any major SFTP servers.
+ *
  * @param sftp          The sftp session handle.
  *
  * @param file          The file which attributes should be changed.
@@ -767,6 +772,8 @@ LIBSSH_API int sftp_symlink(sftp_session sftp, const char *target, const char *d
  * @param  path         Specifies the path name of the symlink to be read.
  *
  * @return              The target of the link, NULL on error.
+ *                      The caller needs to free the memory
+ *                      using ssh_string_free_char().
  *
  * @see sftp_get_error()
  */

include/libssh/sftp_priv.h

@@ -21,6 +21,10 @@
 #ifndef SFTP_PRIV_H
 #define SFTP_PRIV_H
 
+#ifdef __cplusplus
+extern "C" {
+#endif
+
 sftp_packet sftp_packet_read(sftp_session sftp);
 int sftp_packet_write(sftp_session sftp, uint8_t type, ssh_buffer payload);
 void sftp_packet_free(sftp_packet packet);
@@ -29,4 +33,8 @@ sftp_attributes sftp_parse_attr(sftp_session session,
                                 ssh_buffer buf,
                                 int expectname);
 
+#ifdef __cplusplus
+}
+#endif
+
 #endif /* SFTP_PRIV_H */

include/libssh/socket.h

@@ -35,6 +35,7 @@ void ssh_socket_reset(ssh_socket s);
 void ssh_socket_free(ssh_socket s);
 void ssh_socket_set_fd(ssh_socket s, socket_t fd);
 socket_t ssh_socket_get_fd(ssh_socket s);
+void ssh_socket_set_connected(ssh_socket s, struct ssh_poll_handle_struct *p);
 int ssh_socket_unix(ssh_socket s, const char *path);
 void ssh_execute_command(const char *command, socket_t in, socket_t out);
 #ifndef _WIN32

include/libssh/string.h

@@ -22,6 +22,10 @@
 #define STRING_H_
 #include "libssh/priv.h"
 
+#ifdef __cplusplus
+extern "C" {
+#endif
+
 /* must be 32 bits number + immediately our data */
 #ifdef _MSC_VER
 #pragma pack(1)
@@ -38,4 +42,8 @@ __attribute__ ((packed))
 #endif
 ;
 
+#ifdef __cplusplus
+}
+#endif
+
 #endif /* STRING_H_ */

include/libssh/threads.h

@@ -49,6 +49,10 @@
 
 #endif
 
+#ifdef __cplusplus
+extern "C" {
+#endif
+
 int ssh_threads_init(void);
 void ssh_threads_finalize(void);
 const char *ssh_threads_get_type(void);
@@ -60,4 +64,8 @@ struct ssh_threads_callbacks_struct *ssh_threads_get_default(void);
 int crypto_thread_init(struct ssh_threads_callbacks_struct *user_callbacks);
 void crypto_thread_finalize(void);
 
+#ifdef __cplusplus
+}
+#endif
+
 #endif /* THREADS_H_ */

include/libssh/token.h

@@ -31,6 +31,10 @@ struct ssh_tokens_st {
     char **tokens;
 };
 
+#ifdef __cplusplus
+extern "C" {
+#endif
+
 struct ssh_tokens_st *ssh_tokenize(const char *chain, char separator);
 
 void ssh_tokens_free(struct ssh_tokens_st *tokens);
@@ -45,4 +49,8 @@ char *ssh_remove_duplicates(const char *list);
 
 char *ssh_append_without_duplicates(const char *list,
                                     const char *appended_list);
+#ifdef __cplusplus
+}
+#endif
+
 #endif /* TOKEN_H_ */

include/libssh/wrapper.h

@@ -29,6 +29,10 @@
 #include "libssh/libgcrypt.h"
 #include "libssh/libmbedcrypto.h"
 
+#ifdef __cplusplus
+extern "C" {
+#endif
+
 enum ssh_kdf_digest {
     SSH_KDF_SHA1=1,
     SSH_KDF_SHA256,
@@ -103,7 +107,7 @@ size_t hmac_digest_len(enum ssh_hmac_e type);
 
 int ssh_kdf(struct ssh_crypto_struct *crypto,
             unsigned char *key, size_t key_len,
-            int key_type, unsigned char *output,
+            uint8_t key_type, unsigned char *output,
             size_t requested_len);
 
 int crypt_set_algorithms_client(ssh_session session);
@@ -122,9 +126,13 @@ const char *ssh_hmac_type_to_string(enum ssh_hmac_e hmac_type, bool etm);
 
 #if defined(HAVE_LIBCRYPTO) && OPENSSL_VERSION_NUMBER >= 0x30000000L
 int evp_build_pkey(const char* name, OSSL_PARAM_BLD *param_bld, EVP_PKEY **pkey, int selection);
-int evp_dup_dsa_pkey(const ssh_key key, ssh_key new, int demote);
-int evp_dup_rsa_pkey(const ssh_key key, ssh_key new, int demote);
-int evp_dup_ecdsa_pkey(const ssh_key key, ssh_key new, int demote);
+int evp_dup_dsa_pkey(const ssh_key key, ssh_key new_key, int demote);
+int evp_dup_rsa_pkey(const ssh_key key, ssh_key new_key, int demote);
+int evp_dup_ecdsa_pkey(const ssh_key key, ssh_key new_key, int demote);
 #endif /* HAVE_LIBCRYPTO && OPENSSL_VERSION_NUMBER */
 
+#ifdef __cplusplus
+}
+#endif
+
 #endif /* WRAPPER_H_ */

libssh.pc.cmake

@@ -1,6 +1,10 @@
-Name: ${PROJECT_NAME}
-Description: The SSH Library
-Version: ${PROJECT_VERSION}
-Libs: -L${CMAKE_INSTALL_FULL_LIBDIR} -lssh
-Cflags: -I${CMAKE_INSTALL_FULL_INCLUDEDIR}
+prefix=@CMAKE_INSTALL_PREFIX@
+exec_prefix=${prefix}
+libdir=@CMAKE_INSTALL_FULL_LIBDIR@
+includedir=@CMAKE_INSTALL_FULL_INCLUDEDIR@
 
+Name: @PROJECT_NAME@
+Description: The SSH Library
+Version: @PROJECT_VERSION@
+Libs: -L${libdir} -lssh
+Cflags: -I${includedir}

src/ABI/current

@@ -1 +1 @@
-4.9.0
+4.9.5

src/ABI/libssh-4.9.1.symbols

@@ -0,0 +1,427 @@
+_ssh_log
+buffer_free
+buffer_get
+buffer_get_len
+buffer_new
+channel_accept_x11
+channel_change_pty_size
+channel_close
+channel_forward_accept
+channel_forward_cancel
+channel_forward_listen
+channel_free
+channel_get_exit_status
+channel_get_session
+channel_is_closed
+channel_is_eof
+channel_is_open
+channel_new
+channel_open_forward
+channel_open_session
+channel_poll
+channel_read
+channel_read_buffer
+channel_read_nonblocking
+channel_request_env
+channel_request_exec
+channel_request_pty
+channel_request_pty_size
+channel_request_send_signal
+channel_request_sftp
+channel_request_shell
+channel_request_subsystem
+channel_request_x11
+channel_select
+channel_send_eof
+channel_set_blocking
+channel_write
+channel_write_stderr
+privatekey_free
+privatekey_from_file
+publickey_free
+publickey_from_file
+publickey_from_privatekey
+publickey_to_string
+sftp_async_read
+sftp_async_read_begin
+sftp_attributes_free
+sftp_canonicalize_path
+sftp_chmod
+sftp_chown
+sftp_client_message_free
+sftp_client_message_get_data
+sftp_client_message_get_filename
+sftp_client_message_get_flags
+sftp_client_message_get_submessage
+sftp_client_message_get_type
+sftp_client_message_set_filename
+sftp_close
+sftp_closedir
+sftp_dir_eof
+sftp_extension_supported
+sftp_extensions_get_count
+sftp_extensions_get_data
+sftp_extensions_get_name
+sftp_file_set_blocking
+sftp_file_set_nonblocking
+sftp_free
+sftp_fstat
+sftp_fstatvfs
+sftp_fsync
+sftp_get_client_message
+sftp_get_error
+sftp_handle
+sftp_handle_alloc
+sftp_handle_remove
+sftp_init
+sftp_lstat
+sftp_mkdir
+sftp_new
+sftp_new_channel
+sftp_open
+sftp_opendir
+sftp_read
+sftp_readdir
+sftp_readlink
+sftp_rename
+sftp_reply_attr
+sftp_reply_data
+sftp_reply_handle
+sftp_reply_name
+sftp_reply_names
+sftp_reply_names_add
+sftp_reply_status
+sftp_rewind
+sftp_rmdir
+sftp_seek
+sftp_seek64
+sftp_send_client_message
+sftp_server_free
+sftp_server_init
+sftp_server_new
+sftp_server_version
+sftp_setstat
+sftp_stat
+sftp_statvfs
+sftp_statvfs_free
+sftp_symlink
+sftp_tell
+sftp_tell64
+sftp_unlink
+sftp_utimes
+sftp_write
+ssh_accept
+ssh_add_channel_callbacks
+ssh_auth_list
+ssh_basename
+ssh_bind_accept
+ssh_bind_accept_fd
+ssh_bind_fd_toaccept
+ssh_bind_free
+ssh_bind_get_fd
+ssh_bind_listen
+ssh_bind_new
+ssh_bind_options_parse_config
+ssh_bind_options_set
+ssh_bind_set_blocking
+ssh_bind_set_callbacks
+ssh_bind_set_fd
+ssh_blocking_flush
+ssh_buffer_add_data
+ssh_buffer_free
+ssh_buffer_get
+ssh_buffer_get_data
+ssh_buffer_get_len
+ssh_buffer_new
+ssh_buffer_reinit
+ssh_channel_accept_forward
+ssh_channel_accept_x11
+ssh_channel_cancel_forward
+ssh_channel_change_pty_size
+ssh_channel_close
+ssh_channel_free
+ssh_channel_get_exit_status
+ssh_channel_get_session
+ssh_channel_is_closed
+ssh_channel_is_eof
+ssh_channel_is_open
+ssh_channel_listen_forward
+ssh_channel_new
+ssh_channel_open_auth_agent
+ssh_channel_open_forward
+ssh_channel_open_forward_port
+ssh_channel_open_forward_unix
+ssh_channel_open_reverse_forward
+ssh_channel_open_session
+ssh_channel_open_x11
+ssh_channel_poll
+ssh_channel_poll_timeout
+ssh_channel_read
+ssh_channel_read_nonblocking
+ssh_channel_read_timeout
+ssh_channel_request_auth_agent
+ssh_channel_request_env
+ssh_channel_request_exec
+ssh_channel_request_pty
+ssh_channel_request_pty_size
+ssh_channel_request_send_break
+ssh_channel_request_send_exit_signal
+ssh_channel_request_send_exit_status
+ssh_channel_request_send_signal
+ssh_channel_request_sftp
+ssh_channel_request_shell
+ssh_channel_request_subsystem
+ssh_channel_request_x11
+ssh_channel_select
+ssh_channel_send_eof
+ssh_channel_set_blocking
+ssh_channel_set_counter
+ssh_channel_window_size
+ssh_channel_write
+ssh_channel_write_stderr
+ssh_clean_pubkey_hash
+ssh_connect
+ssh_connector_free
+ssh_connector_new
+ssh_connector_set_in_channel
+ssh_connector_set_in_fd
+ssh_connector_set_out_channel
+ssh_connector_set_out_fd
+ssh_copyright
+ssh_dirname
+ssh_disconnect
+ssh_dump_knownhost
+ssh_event_add_connector
+ssh_event_add_fd
+ssh_event_add_session
+ssh_event_dopoll
+ssh_event_free
+ssh_event_new
+ssh_event_remove_connector
+ssh_event_remove_fd
+ssh_event_remove_session
+ssh_execute_message_callbacks
+ssh_finalize
+ssh_forward_accept
+ssh_forward_cancel
+ssh_forward_listen
+ssh_free
+ssh_get_cipher_in
+ssh_get_cipher_out
+ssh_get_clientbanner
+ssh_get_disconnect_message
+ssh_get_error
+ssh_get_error_code
+ssh_get_fd
+ssh_get_fingerprint_hash
+ssh_get_hexa
+ssh_get_hmac_in
+ssh_get_hmac_out
+ssh_get_issue_banner
+ssh_get_kex_algo
+ssh_get_log_callback
+ssh_get_log_level
+ssh_get_log_userdata
+ssh_get_openssh_version
+ssh_get_poll_flags
+ssh_get_pubkey
+ssh_get_pubkey_hash
+ssh_get_publickey
+ssh_get_publickey_hash
+ssh_get_random
+ssh_get_server_publickey
+ssh_get_serverbanner
+ssh_get_status
+ssh_get_version
+ssh_getpass
+ssh_gssapi_get_creds
+ssh_gssapi_set_creds
+ssh_handle_key_exchange
+ssh_init
+ssh_is_blocking
+ssh_is_connected
+ssh_is_server_known
+ssh_key_cmp
+ssh_key_dup
+ssh_key_free
+ssh_key_is_private
+ssh_key_is_public
+ssh_key_new
+ssh_key_type
+ssh_key_type_from_name
+ssh_key_type_to_char
+ssh_known_hosts_parse_line
+ssh_knownhosts_entry_free
+ssh_log
+ssh_message_auth_interactive_request
+ssh_message_auth_kbdint_is_response
+ssh_message_auth_password
+ssh_message_auth_pubkey
+ssh_message_auth_publickey
+ssh_message_auth_publickey_state
+ssh_message_auth_reply_pk_ok
+ssh_message_auth_reply_pk_ok_simple
+ssh_message_auth_reply_success
+ssh_message_auth_set_methods
+ssh_message_auth_user
+ssh_message_channel_request_channel
+ssh_message_channel_request_command
+ssh_message_channel_request_env_name
+ssh_message_channel_request_env_value
+ssh_message_channel_request_open_destination
+ssh_message_channel_request_open_destination_port
+ssh_message_channel_request_open_originator
+ssh_message_channel_request_open_originator_port
+ssh_message_channel_request_open_reply_accept
+ssh_message_channel_request_open_reply_accept_channel
+ssh_message_channel_request_pty_height
+ssh_message_channel_request_pty_pxheight
+ssh_message_channel_request_pty_pxwidth
+ssh_message_channel_request_pty_term
+ssh_message_channel_request_pty_width
+ssh_message_channel_request_reply_success
+ssh_message_channel_request_subsystem
+ssh_message_channel_request_x11_auth_cookie
+ssh_message_channel_request_x11_auth_protocol
+ssh_message_channel_request_x11_screen_number
+ssh_message_channel_request_x11_single_connection
+ssh_message_free
+ssh_message_get
+ssh_message_global_request_address
+ssh_message_global_request_port
+ssh_message_global_request_reply_success
+ssh_message_reply_default
+ssh_message_retrieve
+ssh_message_service_reply_success
+ssh_message_service_service
+ssh_message_subtype
+ssh_message_type
+ssh_mkdir
+ssh_new
+ssh_options_copy
+ssh_options_get
+ssh_options_get_port
+ssh_options_getopt
+ssh_options_parse_config
+ssh_options_set
+ssh_pcap_file_close
+ssh_pcap_file_free
+ssh_pcap_file_new
+ssh_pcap_file_open
+ssh_pki_copy_cert_to_privkey
+ssh_pki_export_privkey_base64
+ssh_pki_export_privkey_file
+ssh_pki_export_privkey_to_pubkey
+ssh_pki_export_pubkey_base64
+ssh_pki_export_pubkey_file
+ssh_pki_generate
+ssh_pki_import_cert_base64
+ssh_pki_import_cert_file
+ssh_pki_import_privkey_base64
+ssh_pki_import_privkey_file
+ssh_pki_import_pubkey_base64
+ssh_pki_import_pubkey_file
+ssh_pki_key_ecdsa_name
+ssh_print_hash
+ssh_print_hexa
+ssh_privatekey_type
+ssh_publickey_to_file
+ssh_remove_channel_callbacks
+ssh_scp_accept_request
+ssh_scp_close
+ssh_scp_deny_request
+ssh_scp_free
+ssh_scp_init
+ssh_scp_leave_directory
+ssh_scp_new
+ssh_scp_pull_request
+ssh_scp_push_directory
+ssh_scp_push_file
+ssh_scp_push_file64
+ssh_scp_read
+ssh_scp_request_get_filename
+ssh_scp_request_get_permissions
+ssh_scp_request_get_size
+ssh_scp_request_get_size64
+ssh_scp_request_get_warning
+ssh_scp_write
+ssh_select
+ssh_send_debug
+ssh_send_ignore
+ssh_send_issue_banner
+ssh_send_keepalive
+ssh_server_init_kex
+ssh_service_request
+ssh_session_export_known_hosts_entry
+ssh_session_get_known_hosts_entry
+ssh_session_has_known_hosts_entry
+ssh_session_is_known_server
+ssh_session_set_disconnect_message
+ssh_session_update_known_hosts
+ssh_set_agent_channel
+ssh_set_agent_socket
+ssh_set_auth_methods
+ssh_set_blocking
+ssh_set_callbacks
+ssh_set_channel_callbacks
+ssh_set_counters
+ssh_set_fd_except
+ssh_set_fd_toread
+ssh_set_fd_towrite
+ssh_set_log_callback
+ssh_set_log_level
+ssh_set_log_userdata
+ssh_set_message_callback
+ssh_set_pcap_file
+ssh_set_server_callbacks
+ssh_silent_disconnect
+ssh_string_burn
+ssh_string_copy
+ssh_string_data
+ssh_string_fill
+ssh_string_free
+ssh_string_free_char
+ssh_string_from_char
+ssh_string_get_char
+ssh_string_len
+ssh_string_new
+ssh_string_to_char
+ssh_threads_get_default
+ssh_threads_get_noop
+ssh_threads_get_pthread
+ssh_threads_set_callbacks
+ssh_try_publickey_from_file
+ssh_userauth_agent
+ssh_userauth_agent_pubkey
+ssh_userauth_autopubkey
+ssh_userauth_gssapi
+ssh_userauth_kbdint
+ssh_userauth_kbdint_getanswer
+ssh_userauth_kbdint_getinstruction
+ssh_userauth_kbdint_getname
+ssh_userauth_kbdint_getnanswers
+ssh_userauth_kbdint_getnprompts
+ssh_userauth_kbdint_getprompt
+ssh_userauth_kbdint_setanswer
+ssh_userauth_list
+ssh_userauth_none
+ssh_userauth_offer_pubkey
+ssh_userauth_password
+ssh_userauth_privatekey_file
+ssh_userauth_pubkey
+ssh_userauth_publickey
+ssh_userauth_publickey_auto
+ssh_userauth_publickey_auto_get_current_identity
+ssh_userauth_try_publickey
+ssh_version
+ssh_vlog
+ssh_write_knownhost
+string_burn
+string_copy
+string_data
+string_fill
+string_free
+string_from_char
+string_len
+string_new
+string_to_char

src/ABI/libssh-4.9.2.symbols

@@ -0,0 +1,427 @@
+_ssh_log
+buffer_free
+buffer_get
+buffer_get_len
+buffer_new
+channel_accept_x11
+channel_change_pty_size
+channel_close
+channel_forward_accept
+channel_forward_cancel
+channel_forward_listen
+channel_free
+channel_get_exit_status
+channel_get_session
+channel_is_closed
+channel_is_eof
+channel_is_open
+channel_new
+channel_open_forward
+channel_open_session
+channel_poll
+channel_read
+channel_read_buffer
+channel_read_nonblocking
+channel_request_env
+channel_request_exec
+channel_request_pty
+channel_request_pty_size
+channel_request_send_signal
+channel_request_sftp
+channel_request_shell
+channel_request_subsystem
+channel_request_x11
+channel_select
+channel_send_eof
+channel_set_blocking
+channel_write
+channel_write_stderr
+privatekey_free
+privatekey_from_file
+publickey_free
+publickey_from_file
+publickey_from_privatekey
+publickey_to_string
+sftp_async_read
+sftp_async_read_begin
+sftp_attributes_free
+sftp_canonicalize_path
+sftp_chmod
+sftp_chown
+sftp_client_message_free
+sftp_client_message_get_data
+sftp_client_message_get_filename
+sftp_client_message_get_flags
+sftp_client_message_get_submessage
+sftp_client_message_get_type
+sftp_client_message_set_filename
+sftp_close
+sftp_closedir
+sftp_dir_eof
+sftp_extension_supported
+sftp_extensions_get_count
+sftp_extensions_get_data
+sftp_extensions_get_name
+sftp_file_set_blocking
+sftp_file_set_nonblocking
+sftp_free
+sftp_fstat
+sftp_fstatvfs
+sftp_fsync
+sftp_get_client_message
+sftp_get_error
+sftp_handle
+sftp_handle_alloc
+sftp_handle_remove
+sftp_init
+sftp_lstat
+sftp_mkdir
+sftp_new
+sftp_new_channel
+sftp_open
+sftp_opendir
+sftp_read
+sftp_readdir
+sftp_readlink
+sftp_rename
+sftp_reply_attr
+sftp_reply_data
+sftp_reply_handle
+sftp_reply_name
+sftp_reply_names
+sftp_reply_names_add
+sftp_reply_status
+sftp_rewind
+sftp_rmdir
+sftp_seek
+sftp_seek64
+sftp_send_client_message
+sftp_server_free
+sftp_server_init
+sftp_server_new
+sftp_server_version
+sftp_setstat
+sftp_stat
+sftp_statvfs
+sftp_statvfs_free
+sftp_symlink
+sftp_tell
+sftp_tell64
+sftp_unlink
+sftp_utimes
+sftp_write
+ssh_accept
+ssh_add_channel_callbacks
+ssh_auth_list
+ssh_basename
+ssh_bind_accept
+ssh_bind_accept_fd
+ssh_bind_fd_toaccept
+ssh_bind_free
+ssh_bind_get_fd
+ssh_bind_listen
+ssh_bind_new
+ssh_bind_options_parse_config
+ssh_bind_options_set
+ssh_bind_set_blocking
+ssh_bind_set_callbacks
+ssh_bind_set_fd
+ssh_blocking_flush
+ssh_buffer_add_data
+ssh_buffer_free
+ssh_buffer_get
+ssh_buffer_get_data
+ssh_buffer_get_len
+ssh_buffer_new
+ssh_buffer_reinit
+ssh_channel_accept_forward
+ssh_channel_accept_x11
+ssh_channel_cancel_forward
+ssh_channel_change_pty_size
+ssh_channel_close
+ssh_channel_free
+ssh_channel_get_exit_status
+ssh_channel_get_session
+ssh_channel_is_closed
+ssh_channel_is_eof
+ssh_channel_is_open
+ssh_channel_listen_forward
+ssh_channel_new
+ssh_channel_open_auth_agent
+ssh_channel_open_forward
+ssh_channel_open_forward_port
+ssh_channel_open_forward_unix
+ssh_channel_open_reverse_forward
+ssh_channel_open_session
+ssh_channel_open_x11
+ssh_channel_poll
+ssh_channel_poll_timeout
+ssh_channel_read
+ssh_channel_read_nonblocking
+ssh_channel_read_timeout
+ssh_channel_request_auth_agent
+ssh_channel_request_env
+ssh_channel_request_exec
+ssh_channel_request_pty
+ssh_channel_request_pty_size
+ssh_channel_request_send_break
+ssh_channel_request_send_exit_signal
+ssh_channel_request_send_exit_status
+ssh_channel_request_send_signal
+ssh_channel_request_sftp
+ssh_channel_request_shell
+ssh_channel_request_subsystem
+ssh_channel_request_x11
+ssh_channel_select
+ssh_channel_send_eof
+ssh_channel_set_blocking
+ssh_channel_set_counter
+ssh_channel_window_size
+ssh_channel_write
+ssh_channel_write_stderr
+ssh_clean_pubkey_hash
+ssh_connect
+ssh_connector_free
+ssh_connector_new
+ssh_connector_set_in_channel
+ssh_connector_set_in_fd
+ssh_connector_set_out_channel
+ssh_connector_set_out_fd
+ssh_copyright
+ssh_dirname
+ssh_disconnect
+ssh_dump_knownhost
+ssh_event_add_connector
+ssh_event_add_fd
+ssh_event_add_session
+ssh_event_dopoll
+ssh_event_free
+ssh_event_new
+ssh_event_remove_connector
+ssh_event_remove_fd
+ssh_event_remove_session
+ssh_execute_message_callbacks
+ssh_finalize
+ssh_forward_accept
+ssh_forward_cancel
+ssh_forward_listen
+ssh_free
+ssh_get_cipher_in
+ssh_get_cipher_out
+ssh_get_clientbanner
+ssh_get_disconnect_message
+ssh_get_error
+ssh_get_error_code
+ssh_get_fd
+ssh_get_fingerprint_hash
+ssh_get_hexa
+ssh_get_hmac_in
+ssh_get_hmac_out
+ssh_get_issue_banner
+ssh_get_kex_algo
+ssh_get_log_callback
+ssh_get_log_level
+ssh_get_log_userdata
+ssh_get_openssh_version
+ssh_get_poll_flags
+ssh_get_pubkey
+ssh_get_pubkey_hash
+ssh_get_publickey
+ssh_get_publickey_hash
+ssh_get_random
+ssh_get_server_publickey
+ssh_get_serverbanner
+ssh_get_status
+ssh_get_version
+ssh_getpass
+ssh_gssapi_get_creds
+ssh_gssapi_set_creds
+ssh_handle_key_exchange
+ssh_init
+ssh_is_blocking
+ssh_is_connected
+ssh_is_server_known
+ssh_key_cmp
+ssh_key_dup
+ssh_key_free
+ssh_key_is_private
+ssh_key_is_public
+ssh_key_new
+ssh_key_type
+ssh_key_type_from_name
+ssh_key_type_to_char
+ssh_known_hosts_parse_line
+ssh_knownhosts_entry_free
+ssh_log
+ssh_message_auth_interactive_request
+ssh_message_auth_kbdint_is_response
+ssh_message_auth_password
+ssh_message_auth_pubkey
+ssh_message_auth_publickey
+ssh_message_auth_publickey_state
+ssh_message_auth_reply_pk_ok
+ssh_message_auth_reply_pk_ok_simple
+ssh_message_auth_reply_success
+ssh_message_auth_set_methods
+ssh_message_auth_user
+ssh_message_channel_request_channel
+ssh_message_channel_request_command
+ssh_message_channel_request_env_name
+ssh_message_channel_request_env_value
+ssh_message_channel_request_open_destination
+ssh_message_channel_request_open_destination_port
+ssh_message_channel_request_open_originator
+ssh_message_channel_request_open_originator_port
+ssh_message_channel_request_open_reply_accept
+ssh_message_channel_request_open_reply_accept_channel
+ssh_message_channel_request_pty_height
+ssh_message_channel_request_pty_pxheight
+ssh_message_channel_request_pty_pxwidth
+ssh_message_channel_request_pty_term
+ssh_message_channel_request_pty_width
+ssh_message_channel_request_reply_success
+ssh_message_channel_request_subsystem
+ssh_message_channel_request_x11_auth_cookie
+ssh_message_channel_request_x11_auth_protocol
+ssh_message_channel_request_x11_screen_number
+ssh_message_channel_request_x11_single_connection
+ssh_message_free
+ssh_message_get
+ssh_message_global_request_address
+ssh_message_global_request_port
+ssh_message_global_request_reply_success
+ssh_message_reply_default
+ssh_message_retrieve
+ssh_message_service_reply_success
+ssh_message_service_service
+ssh_message_subtype
+ssh_message_type
+ssh_mkdir
+ssh_new
+ssh_options_copy
+ssh_options_get
+ssh_options_get_port
+ssh_options_getopt
+ssh_options_parse_config
+ssh_options_set
+ssh_pcap_file_close
+ssh_pcap_file_free
+ssh_pcap_file_new
+ssh_pcap_file_open
+ssh_pki_copy_cert_to_privkey
+ssh_pki_export_privkey_base64
+ssh_pki_export_privkey_file
+ssh_pki_export_privkey_to_pubkey
+ssh_pki_export_pubkey_base64
+ssh_pki_export_pubkey_file
+ssh_pki_generate
+ssh_pki_import_cert_base64
+ssh_pki_import_cert_file
+ssh_pki_import_privkey_base64
+ssh_pki_import_privkey_file
+ssh_pki_import_pubkey_base64
+ssh_pki_import_pubkey_file
+ssh_pki_key_ecdsa_name
+ssh_print_hash
+ssh_print_hexa
+ssh_privatekey_type
+ssh_publickey_to_file
+ssh_remove_channel_callbacks
+ssh_scp_accept_request
+ssh_scp_close
+ssh_scp_deny_request
+ssh_scp_free
+ssh_scp_init
+ssh_scp_leave_directory
+ssh_scp_new
+ssh_scp_pull_request
+ssh_scp_push_directory
+ssh_scp_push_file
+ssh_scp_push_file64
+ssh_scp_read
+ssh_scp_request_get_filename
+ssh_scp_request_get_permissions
+ssh_scp_request_get_size
+ssh_scp_request_get_size64
+ssh_scp_request_get_warning
+ssh_scp_write
+ssh_select
+ssh_send_debug
+ssh_send_ignore
+ssh_send_issue_banner
+ssh_send_keepalive
+ssh_server_init_kex
+ssh_service_request
+ssh_session_export_known_hosts_entry
+ssh_session_get_known_hosts_entry
+ssh_session_has_known_hosts_entry
+ssh_session_is_known_server
+ssh_session_set_disconnect_message
+ssh_session_update_known_hosts
+ssh_set_agent_channel
+ssh_set_agent_socket
+ssh_set_auth_methods
+ssh_set_blocking
+ssh_set_callbacks
+ssh_set_channel_callbacks
+ssh_set_counters
+ssh_set_fd_except
+ssh_set_fd_toread
+ssh_set_fd_towrite
+ssh_set_log_callback
+ssh_set_log_level
+ssh_set_log_userdata
+ssh_set_message_callback
+ssh_set_pcap_file
+ssh_set_server_callbacks
+ssh_silent_disconnect
+ssh_string_burn
+ssh_string_copy
+ssh_string_data
+ssh_string_fill
+ssh_string_free
+ssh_string_free_char
+ssh_string_from_char
+ssh_string_get_char
+ssh_string_len
+ssh_string_new
+ssh_string_to_char
+ssh_threads_get_default
+ssh_threads_get_noop
+ssh_threads_get_pthread
+ssh_threads_set_callbacks
+ssh_try_publickey_from_file
+ssh_userauth_agent
+ssh_userauth_agent_pubkey
+ssh_userauth_autopubkey
+ssh_userauth_gssapi
+ssh_userauth_kbdint
+ssh_userauth_kbdint_getanswer
+ssh_userauth_kbdint_getinstruction
+ssh_userauth_kbdint_getname
+ssh_userauth_kbdint_getnanswers
+ssh_userauth_kbdint_getnprompts
+ssh_userauth_kbdint_getprompt
+ssh_userauth_kbdint_setanswer
+ssh_userauth_list
+ssh_userauth_none
+ssh_userauth_offer_pubkey
+ssh_userauth_password
+ssh_userauth_privatekey_file
+ssh_userauth_pubkey
+ssh_userauth_publickey
+ssh_userauth_publickey_auto
+ssh_userauth_publickey_auto_get_current_identity
+ssh_userauth_try_publickey
+ssh_version
+ssh_vlog
+ssh_write_knownhost
+string_burn
+string_copy
+string_data
+string_fill
+string_free
+string_from_char
+string_len
+string_new
+string_to_char

src/ABI/libssh-4.9.3.symbols

@@ -0,0 +1,427 @@
+_ssh_log
+buffer_free
+buffer_get
+buffer_get_len
+buffer_new
+channel_accept_x11
+channel_change_pty_size
+channel_close
+channel_forward_accept
+channel_forward_cancel
+channel_forward_listen
+channel_free
+channel_get_exit_status
+channel_get_session
+channel_is_closed
+channel_is_eof
+channel_is_open
+channel_new
+channel_open_forward
+channel_open_session
+channel_poll
+channel_read
+channel_read_buffer
+channel_read_nonblocking
+channel_request_env
+channel_request_exec
+channel_request_pty
+channel_request_pty_size
+channel_request_send_signal
+channel_request_sftp
+channel_request_shell
+channel_request_subsystem
+channel_request_x11
+channel_select
+channel_send_eof
+channel_set_blocking
+channel_write
+channel_write_stderr
+privatekey_free
+privatekey_from_file
+publickey_free
+publickey_from_file
+publickey_from_privatekey
+publickey_to_string
+sftp_async_read
+sftp_async_read_begin
+sftp_attributes_free
+sftp_canonicalize_path
+sftp_chmod
+sftp_chown
+sftp_client_message_free
+sftp_client_message_get_data
+sftp_client_message_get_filename
+sftp_client_message_get_flags
+sftp_client_message_get_submessage
+sftp_client_message_get_type
+sftp_client_message_set_filename
+sftp_close
+sftp_closedir
+sftp_dir_eof
+sftp_extension_supported
+sftp_extensions_get_count
+sftp_extensions_get_data
+sftp_extensions_get_name
+sftp_file_set_blocking
+sftp_file_set_nonblocking
+sftp_free
+sftp_fstat
+sftp_fstatvfs
+sftp_fsync
+sftp_get_client_message
+sftp_get_error
+sftp_handle
+sftp_handle_alloc
+sftp_handle_remove
+sftp_init
+sftp_lstat
+sftp_mkdir
+sftp_new
+sftp_new_channel
+sftp_open
+sftp_opendir
+sftp_read
+sftp_readdir
+sftp_readlink
+sftp_rename
+sftp_reply_attr
+sftp_reply_data
+sftp_reply_handle
+sftp_reply_name
+sftp_reply_names
+sftp_reply_names_add
+sftp_reply_status
+sftp_rewind
+sftp_rmdir
+sftp_seek
+sftp_seek64
+sftp_send_client_message
+sftp_server_free
+sftp_server_init
+sftp_server_new
+sftp_server_version
+sftp_setstat
+sftp_stat
+sftp_statvfs
+sftp_statvfs_free
+sftp_symlink
+sftp_tell
+sftp_tell64
+sftp_unlink
+sftp_utimes
+sftp_write
+ssh_accept
+ssh_add_channel_callbacks
+ssh_auth_list
+ssh_basename
+ssh_bind_accept
+ssh_bind_accept_fd
+ssh_bind_fd_toaccept
+ssh_bind_free
+ssh_bind_get_fd
+ssh_bind_listen
+ssh_bind_new
+ssh_bind_options_parse_config
+ssh_bind_options_set
+ssh_bind_set_blocking
+ssh_bind_set_callbacks
+ssh_bind_set_fd
+ssh_blocking_flush
+ssh_buffer_add_data
+ssh_buffer_free
+ssh_buffer_get
+ssh_buffer_get_data
+ssh_buffer_get_len
+ssh_buffer_new
+ssh_buffer_reinit
+ssh_channel_accept_forward
+ssh_channel_accept_x11
+ssh_channel_cancel_forward
+ssh_channel_change_pty_size
+ssh_channel_close
+ssh_channel_free
+ssh_channel_get_exit_status
+ssh_channel_get_session
+ssh_channel_is_closed
+ssh_channel_is_eof
+ssh_channel_is_open
+ssh_channel_listen_forward
+ssh_channel_new
+ssh_channel_open_auth_agent
+ssh_channel_open_forward
+ssh_channel_open_forward_port
+ssh_channel_open_forward_unix
+ssh_channel_open_reverse_forward
+ssh_channel_open_session
+ssh_channel_open_x11
+ssh_channel_poll
+ssh_channel_poll_timeout
+ssh_channel_read
+ssh_channel_read_nonblocking
+ssh_channel_read_timeout
+ssh_channel_request_auth_agent
+ssh_channel_request_env
+ssh_channel_request_exec
+ssh_channel_request_pty
+ssh_channel_request_pty_size
+ssh_channel_request_send_break
+ssh_channel_request_send_exit_signal
+ssh_channel_request_send_exit_status
+ssh_channel_request_send_signal
+ssh_channel_request_sftp
+ssh_channel_request_shell
+ssh_channel_request_subsystem
+ssh_channel_request_x11
+ssh_channel_select
+ssh_channel_send_eof
+ssh_channel_set_blocking
+ssh_channel_set_counter
+ssh_channel_window_size
+ssh_channel_write
+ssh_channel_write_stderr
+ssh_clean_pubkey_hash
+ssh_connect
+ssh_connector_free
+ssh_connector_new
+ssh_connector_set_in_channel
+ssh_connector_set_in_fd
+ssh_connector_set_out_channel
+ssh_connector_set_out_fd
+ssh_copyright
+ssh_dirname
+ssh_disconnect
+ssh_dump_knownhost
+ssh_event_add_connector
+ssh_event_add_fd
+ssh_event_add_session
+ssh_event_dopoll
+ssh_event_free
+ssh_event_new
+ssh_event_remove_connector
+ssh_event_remove_fd
+ssh_event_remove_session
+ssh_execute_message_callbacks
+ssh_finalize
+ssh_forward_accept
+ssh_forward_cancel
+ssh_forward_listen
+ssh_free
+ssh_get_cipher_in
+ssh_get_cipher_out
+ssh_get_clientbanner
+ssh_get_disconnect_message
+ssh_get_error
+ssh_get_error_code
+ssh_get_fd
+ssh_get_fingerprint_hash
+ssh_get_hexa
+ssh_get_hmac_in
+ssh_get_hmac_out
+ssh_get_issue_banner
+ssh_get_kex_algo
+ssh_get_log_callback
+ssh_get_log_level
+ssh_get_log_userdata
+ssh_get_openssh_version
+ssh_get_poll_flags
+ssh_get_pubkey
+ssh_get_pubkey_hash
+ssh_get_publickey
+ssh_get_publickey_hash
+ssh_get_random
+ssh_get_server_publickey
+ssh_get_serverbanner
+ssh_get_status
+ssh_get_version
+ssh_getpass
+ssh_gssapi_get_creds
+ssh_gssapi_set_creds
+ssh_handle_key_exchange
+ssh_init
+ssh_is_blocking
+ssh_is_connected
+ssh_is_server_known
+ssh_key_cmp
+ssh_key_dup
+ssh_key_free
+ssh_key_is_private
+ssh_key_is_public
+ssh_key_new
+ssh_key_type
+ssh_key_type_from_name
+ssh_key_type_to_char
+ssh_known_hosts_parse_line
+ssh_knownhosts_entry_free
+ssh_log
+ssh_message_auth_interactive_request
+ssh_message_auth_kbdint_is_response
+ssh_message_auth_password
+ssh_message_auth_pubkey
+ssh_message_auth_publickey
+ssh_message_auth_publickey_state
+ssh_message_auth_reply_pk_ok
+ssh_message_auth_reply_pk_ok_simple
+ssh_message_auth_reply_success
+ssh_message_auth_set_methods
+ssh_message_auth_user
+ssh_message_channel_request_channel
+ssh_message_channel_request_command
+ssh_message_channel_request_env_name
+ssh_message_channel_request_env_value
+ssh_message_channel_request_open_destination
+ssh_message_channel_request_open_destination_port
+ssh_message_channel_request_open_originator
+ssh_message_channel_request_open_originator_port
+ssh_message_channel_request_open_reply_accept
+ssh_message_channel_request_open_reply_accept_channel
+ssh_message_channel_request_pty_height
+ssh_message_channel_request_pty_pxheight
+ssh_message_channel_request_pty_pxwidth
+ssh_message_channel_request_pty_term
+ssh_message_channel_request_pty_width
+ssh_message_channel_request_reply_success
+ssh_message_channel_request_subsystem
+ssh_message_channel_request_x11_auth_cookie
+ssh_message_channel_request_x11_auth_protocol
+ssh_message_channel_request_x11_screen_number
+ssh_message_channel_request_x11_single_connection
+ssh_message_free
+ssh_message_get
+ssh_message_global_request_address
+ssh_message_global_request_port
+ssh_message_global_request_reply_success
+ssh_message_reply_default
+ssh_message_retrieve
+ssh_message_service_reply_success
+ssh_message_service_service
+ssh_message_subtype
+ssh_message_type
+ssh_mkdir
+ssh_new
+ssh_options_copy
+ssh_options_get
+ssh_options_get_port
+ssh_options_getopt
+ssh_options_parse_config
+ssh_options_set
+ssh_pcap_file_close
+ssh_pcap_file_free
+ssh_pcap_file_new
+ssh_pcap_file_open
+ssh_pki_copy_cert_to_privkey
+ssh_pki_export_privkey_base64
+ssh_pki_export_privkey_file
+ssh_pki_export_privkey_to_pubkey
+ssh_pki_export_pubkey_base64
+ssh_pki_export_pubkey_file
+ssh_pki_generate
+ssh_pki_import_cert_base64
+ssh_pki_import_cert_file
+ssh_pki_import_privkey_base64
+ssh_pki_import_privkey_file
+ssh_pki_import_pubkey_base64
+ssh_pki_import_pubkey_file
+ssh_pki_key_ecdsa_name
+ssh_print_hash
+ssh_print_hexa
+ssh_privatekey_type
+ssh_publickey_to_file
+ssh_remove_channel_callbacks
+ssh_scp_accept_request
+ssh_scp_close
+ssh_scp_deny_request
+ssh_scp_free
+ssh_scp_init
+ssh_scp_leave_directory
+ssh_scp_new
+ssh_scp_pull_request
+ssh_scp_push_directory
+ssh_scp_push_file
+ssh_scp_push_file64
+ssh_scp_read
+ssh_scp_request_get_filename
+ssh_scp_request_get_permissions
+ssh_scp_request_get_size
+ssh_scp_request_get_size64
+ssh_scp_request_get_warning
+ssh_scp_write
+ssh_select
+ssh_send_debug
+ssh_send_ignore
+ssh_send_issue_banner
+ssh_send_keepalive
+ssh_server_init_kex
+ssh_service_request
+ssh_session_export_known_hosts_entry
+ssh_session_get_known_hosts_entry
+ssh_session_has_known_hosts_entry
+ssh_session_is_known_server
+ssh_session_set_disconnect_message
+ssh_session_update_known_hosts
+ssh_set_agent_channel
+ssh_set_agent_socket
+ssh_set_auth_methods
+ssh_set_blocking
+ssh_set_callbacks
+ssh_set_channel_callbacks
+ssh_set_counters
+ssh_set_fd_except
+ssh_set_fd_toread
+ssh_set_fd_towrite
+ssh_set_log_callback
+ssh_set_log_level
+ssh_set_log_userdata
+ssh_set_message_callback
+ssh_set_pcap_file
+ssh_set_server_callbacks
+ssh_silent_disconnect
+ssh_string_burn
+ssh_string_copy
+ssh_string_data
+ssh_string_fill
+ssh_string_free
+ssh_string_free_char
+ssh_string_from_char
+ssh_string_get_char
+ssh_string_len
+ssh_string_new
+ssh_string_to_char
+ssh_threads_get_default
+ssh_threads_get_noop
+ssh_threads_get_pthread
+ssh_threads_set_callbacks
+ssh_try_publickey_from_file
+ssh_userauth_agent
+ssh_userauth_agent_pubkey
+ssh_userauth_autopubkey
+ssh_userauth_gssapi
+ssh_userauth_kbdint
+ssh_userauth_kbdint_getanswer
+ssh_userauth_kbdint_getinstruction
+ssh_userauth_kbdint_getname
+ssh_userauth_kbdint_getnanswers
+ssh_userauth_kbdint_getnprompts
+ssh_userauth_kbdint_getprompt
+ssh_userauth_kbdint_setanswer
+ssh_userauth_list
+ssh_userauth_none
+ssh_userauth_offer_pubkey
+ssh_userauth_password
+ssh_userauth_privatekey_file
+ssh_userauth_pubkey
+ssh_userauth_publickey
+ssh_userauth_publickey_auto
+ssh_userauth_publickey_auto_get_current_identity
+ssh_userauth_try_publickey
+ssh_version
+ssh_vlog
+ssh_write_knownhost
+string_burn
+string_copy
+string_data
+string_fill
+string_free
+string_from_char
+string_len
+string_new
+string_to_char

src/ABI/libssh-4.9.4.symbols

@@ -0,0 +1,427 @@
+_ssh_log
+buffer_free
+buffer_get
+buffer_get_len
+buffer_new
+channel_accept_x11
+channel_change_pty_size
+channel_close
+channel_forward_accept
+channel_forward_cancel
+channel_forward_listen
+channel_free
+channel_get_exit_status
+channel_get_session
+channel_is_closed
+channel_is_eof
+channel_is_open
+channel_new
+channel_open_forward
+channel_open_session
+channel_poll
+channel_read
+channel_read_buffer
+channel_read_nonblocking
+channel_request_env
+channel_request_exec
+channel_request_pty
+channel_request_pty_size
+channel_request_send_signal
+channel_request_sftp
+channel_request_shell
+channel_request_subsystem
+channel_request_x11
+channel_select
+channel_send_eof
+channel_set_blocking
+channel_write
+channel_write_stderr
+privatekey_free
+privatekey_from_file
+publickey_free
+publickey_from_file
+publickey_from_privatekey
+publickey_to_string
+sftp_async_read
+sftp_async_read_begin
+sftp_attributes_free
+sftp_canonicalize_path
+sftp_chmod
+sftp_chown
+sftp_client_message_free
+sftp_client_message_get_data
+sftp_client_message_get_filename
+sftp_client_message_get_flags
+sftp_client_message_get_submessage
+sftp_client_message_get_type
+sftp_client_message_set_filename
+sftp_close
+sftp_closedir
+sftp_dir_eof
+sftp_extension_supported
+sftp_extensions_get_count
+sftp_extensions_get_data
+sftp_extensions_get_name
+sftp_file_set_blocking
+sftp_file_set_nonblocking
+sftp_free
+sftp_fstat
+sftp_fstatvfs
+sftp_fsync
+sftp_get_client_message
+sftp_get_error
+sftp_handle
+sftp_handle_alloc
+sftp_handle_remove
+sftp_init
+sftp_lstat
+sftp_mkdir
+sftp_new
+sftp_new_channel
+sftp_open
+sftp_opendir
+sftp_read
+sftp_readdir
+sftp_readlink
+sftp_rename
+sftp_reply_attr
+sftp_reply_data
+sftp_reply_handle
+sftp_reply_name
+sftp_reply_names
+sftp_reply_names_add
+sftp_reply_status
+sftp_rewind
+sftp_rmdir
+sftp_seek
+sftp_seek64
+sftp_send_client_message
+sftp_server_free
+sftp_server_init
+sftp_server_new
+sftp_server_version
+sftp_setstat
+sftp_stat
+sftp_statvfs
+sftp_statvfs_free
+sftp_symlink
+sftp_tell
+sftp_tell64
+sftp_unlink
+sftp_utimes
+sftp_write
+ssh_accept
+ssh_add_channel_callbacks
+ssh_auth_list
+ssh_basename
+ssh_bind_accept
+ssh_bind_accept_fd
+ssh_bind_fd_toaccept
+ssh_bind_free
+ssh_bind_get_fd
+ssh_bind_listen
+ssh_bind_new
+ssh_bind_options_parse_config
+ssh_bind_options_set
+ssh_bind_set_blocking
+ssh_bind_set_callbacks
+ssh_bind_set_fd
+ssh_blocking_flush
+ssh_buffer_add_data
+ssh_buffer_free
+ssh_buffer_get
+ssh_buffer_get_data
+ssh_buffer_get_len
+ssh_buffer_new
+ssh_buffer_reinit
+ssh_channel_accept_forward
+ssh_channel_accept_x11
+ssh_channel_cancel_forward
+ssh_channel_change_pty_size
+ssh_channel_close
+ssh_channel_free
+ssh_channel_get_exit_status
+ssh_channel_get_session
+ssh_channel_is_closed
+ssh_channel_is_eof
+ssh_channel_is_open
+ssh_channel_listen_forward
+ssh_channel_new
+ssh_channel_open_auth_agent
+ssh_channel_open_forward
+ssh_channel_open_forward_port
+ssh_channel_open_forward_unix
+ssh_channel_open_reverse_forward
+ssh_channel_open_session
+ssh_channel_open_x11
+ssh_channel_poll
+ssh_channel_poll_timeout
+ssh_channel_read
+ssh_channel_read_nonblocking
+ssh_channel_read_timeout
+ssh_channel_request_auth_agent
+ssh_channel_request_env
+ssh_channel_request_exec
+ssh_channel_request_pty
+ssh_channel_request_pty_size
+ssh_channel_request_send_break
+ssh_channel_request_send_exit_signal
+ssh_channel_request_send_exit_status
+ssh_channel_request_send_signal
+ssh_channel_request_sftp
+ssh_channel_request_shell
+ssh_channel_request_subsystem
+ssh_channel_request_x11
+ssh_channel_select
+ssh_channel_send_eof
+ssh_channel_set_blocking
+ssh_channel_set_counter
+ssh_channel_window_size
+ssh_channel_write
+ssh_channel_write_stderr
+ssh_clean_pubkey_hash
+ssh_connect
+ssh_connector_free
+ssh_connector_new
+ssh_connector_set_in_channel
+ssh_connector_set_in_fd
+ssh_connector_set_out_channel
+ssh_connector_set_out_fd
+ssh_copyright
+ssh_dirname
+ssh_disconnect
+ssh_dump_knownhost
+ssh_event_add_connector
+ssh_event_add_fd
+ssh_event_add_session
+ssh_event_dopoll
+ssh_event_free
+ssh_event_new
+ssh_event_remove_connector
+ssh_event_remove_fd
+ssh_event_remove_session
+ssh_execute_message_callbacks
+ssh_finalize
+ssh_forward_accept
+ssh_forward_cancel
+ssh_forward_listen
+ssh_free
+ssh_get_cipher_in
+ssh_get_cipher_out
+ssh_get_clientbanner
+ssh_get_disconnect_message
+ssh_get_error
+ssh_get_error_code
+ssh_get_fd
+ssh_get_fingerprint_hash
+ssh_get_hexa
+ssh_get_hmac_in
+ssh_get_hmac_out
+ssh_get_issue_banner
+ssh_get_kex_algo
+ssh_get_log_callback
+ssh_get_log_level
+ssh_get_log_userdata
+ssh_get_openssh_version
+ssh_get_poll_flags
+ssh_get_pubkey
+ssh_get_pubkey_hash
+ssh_get_publickey
+ssh_get_publickey_hash
+ssh_get_random
+ssh_get_server_publickey
+ssh_get_serverbanner
+ssh_get_status
+ssh_get_version
+ssh_getpass
+ssh_gssapi_get_creds
+ssh_gssapi_set_creds
+ssh_handle_key_exchange
+ssh_init
+ssh_is_blocking
+ssh_is_connected
+ssh_is_server_known
+ssh_key_cmp
+ssh_key_dup
+ssh_key_free
+ssh_key_is_private
+ssh_key_is_public
+ssh_key_new
+ssh_key_type
+ssh_key_type_from_name
+ssh_key_type_to_char
+ssh_known_hosts_parse_line
+ssh_knownhosts_entry_free
+ssh_log
+ssh_message_auth_interactive_request
+ssh_message_auth_kbdint_is_response
+ssh_message_auth_password
+ssh_message_auth_pubkey
+ssh_message_auth_publickey
+ssh_message_auth_publickey_state
+ssh_message_auth_reply_pk_ok
+ssh_message_auth_reply_pk_ok_simple
+ssh_message_auth_reply_success
+ssh_message_auth_set_methods
+ssh_message_auth_user
+ssh_message_channel_request_channel
+ssh_message_channel_request_command
+ssh_message_channel_request_env_name
+ssh_message_channel_request_env_value
+ssh_message_channel_request_open_destination
+ssh_message_channel_request_open_destination_port
+ssh_message_channel_request_open_originator
+ssh_message_channel_request_open_originator_port
+ssh_message_channel_request_open_reply_accept
+ssh_message_channel_request_open_reply_accept_channel
+ssh_message_channel_request_pty_height
+ssh_message_channel_request_pty_pxheight
+ssh_message_channel_request_pty_pxwidth
+ssh_message_channel_request_pty_term
+ssh_message_channel_request_pty_width
+ssh_message_channel_request_reply_success
+ssh_message_channel_request_subsystem
+ssh_message_channel_request_x11_auth_cookie
+ssh_message_channel_request_x11_auth_protocol
+ssh_message_channel_request_x11_screen_number
+ssh_message_channel_request_x11_single_connection
+ssh_message_free
+ssh_message_get
+ssh_message_global_request_address
+ssh_message_global_request_port
+ssh_message_global_request_reply_success
+ssh_message_reply_default
+ssh_message_retrieve
+ssh_message_service_reply_success
+ssh_message_service_service
+ssh_message_subtype
+ssh_message_type
+ssh_mkdir
+ssh_new
+ssh_options_copy
+ssh_options_get
+ssh_options_get_port
+ssh_options_getopt
+ssh_options_parse_config
+ssh_options_set
+ssh_pcap_file_close
+ssh_pcap_file_free
+ssh_pcap_file_new
+ssh_pcap_file_open
+ssh_pki_copy_cert_to_privkey
+ssh_pki_export_privkey_base64
+ssh_pki_export_privkey_file
+ssh_pki_export_privkey_to_pubkey
+ssh_pki_export_pubkey_base64
+ssh_pki_export_pubkey_file
+ssh_pki_generate
+ssh_pki_import_cert_base64
+ssh_pki_import_cert_file
+ssh_pki_import_privkey_base64
+ssh_pki_import_privkey_file
+ssh_pki_import_pubkey_base64
+ssh_pki_import_pubkey_file
+ssh_pki_key_ecdsa_name
+ssh_print_hash
+ssh_print_hexa
+ssh_privatekey_type
+ssh_publickey_to_file
+ssh_remove_channel_callbacks
+ssh_scp_accept_request
+ssh_scp_close
+ssh_scp_deny_request
+ssh_scp_free
+ssh_scp_init
+ssh_scp_leave_directory
+ssh_scp_new
+ssh_scp_pull_request
+ssh_scp_push_directory
+ssh_scp_push_file
+ssh_scp_push_file64
+ssh_scp_read
+ssh_scp_request_get_filename
+ssh_scp_request_get_permissions
+ssh_scp_request_get_size
+ssh_scp_request_get_size64
+ssh_scp_request_get_warning
+ssh_scp_write
+ssh_select
+ssh_send_debug
+ssh_send_ignore
+ssh_send_issue_banner
+ssh_send_keepalive
+ssh_server_init_kex
+ssh_service_request
+ssh_session_export_known_hosts_entry
+ssh_session_get_known_hosts_entry
+ssh_session_has_known_hosts_entry
+ssh_session_is_known_server
+ssh_session_set_disconnect_message
+ssh_session_update_known_hosts
+ssh_set_agent_channel
+ssh_set_agent_socket
+ssh_set_auth_methods
+ssh_set_blocking
+ssh_set_callbacks
+ssh_set_channel_callbacks
+ssh_set_counters
+ssh_set_fd_except
+ssh_set_fd_toread
+ssh_set_fd_towrite
+ssh_set_log_callback
+ssh_set_log_level
+ssh_set_log_userdata
+ssh_set_message_callback
+ssh_set_pcap_file
+ssh_set_server_callbacks
+ssh_silent_disconnect
+ssh_string_burn
+ssh_string_copy
+ssh_string_data
+ssh_string_fill
+ssh_string_free
+ssh_string_free_char
+ssh_string_from_char
+ssh_string_get_char
+ssh_string_len
+ssh_string_new
+ssh_string_to_char
+ssh_threads_get_default
+ssh_threads_get_noop
+ssh_threads_get_pthread
+ssh_threads_set_callbacks
+ssh_try_publickey_from_file
+ssh_userauth_agent
+ssh_userauth_agent_pubkey
+ssh_userauth_autopubkey
+ssh_userauth_gssapi
+ssh_userauth_kbdint
+ssh_userauth_kbdint_getanswer
+ssh_userauth_kbdint_getinstruction
+ssh_userauth_kbdint_getname
+ssh_userauth_kbdint_getnanswers
+ssh_userauth_kbdint_getnprompts
+ssh_userauth_kbdint_getprompt
+ssh_userauth_kbdint_setanswer
+ssh_userauth_list
+ssh_userauth_none
+ssh_userauth_offer_pubkey
+ssh_userauth_password
+ssh_userauth_privatekey_file
+ssh_userauth_pubkey
+ssh_userauth_publickey
+ssh_userauth_publickey_auto
+ssh_userauth_publickey_auto_get_current_identity
+ssh_userauth_try_publickey
+ssh_version
+ssh_vlog
+ssh_write_knownhost
+string_burn
+string_copy
+string_data
+string_fill
+string_free
+string_from_char
+string_len
+string_new
+string_to_char

src/ABI/libssh-4.9.5.symbols

@@ -0,0 +1,427 @@
+_ssh_log
+buffer_free
+buffer_get
+buffer_get_len
+buffer_new
+channel_accept_x11
+channel_change_pty_size
+channel_close
+channel_forward_accept
+channel_forward_cancel
+channel_forward_listen
+channel_free
+channel_get_exit_status
+channel_get_session
+channel_is_closed
+channel_is_eof
+channel_is_open
+channel_new
+channel_open_forward
+channel_open_session
+channel_poll
+channel_read
+channel_read_buffer
+channel_read_nonblocking
+channel_request_env
+channel_request_exec
+channel_request_pty
+channel_request_pty_size
+channel_request_send_signal
+channel_request_sftp
+channel_request_shell
+channel_request_subsystem
+channel_request_x11
+channel_select
+channel_send_eof
+channel_set_blocking
+channel_write
+channel_write_stderr
+privatekey_free
+privatekey_from_file
+publickey_free
+publickey_from_file
+publickey_from_privatekey
+publickey_to_string
+sftp_async_read
+sftp_async_read_begin
+sftp_attributes_free
+sftp_canonicalize_path
+sftp_chmod
+sftp_chown
+sftp_client_message_free
+sftp_client_message_get_data
+sftp_client_message_get_filename
+sftp_client_message_get_flags
+sftp_client_message_get_submessage
+sftp_client_message_get_type
+sftp_client_message_set_filename
+sftp_close
+sftp_closedir
+sftp_dir_eof
+sftp_extension_supported
+sftp_extensions_get_count
+sftp_extensions_get_data
+sftp_extensions_get_name
+sftp_file_set_blocking
+sftp_file_set_nonblocking
+sftp_free
+sftp_fstat
+sftp_fstatvfs
+sftp_fsync
+sftp_get_client_message
+sftp_get_error
+sftp_handle
+sftp_handle_alloc
+sftp_handle_remove
+sftp_init
+sftp_lstat
+sftp_mkdir
+sftp_new
+sftp_new_channel
+sftp_open
+sftp_opendir
+sftp_read
+sftp_readdir
+sftp_readlink
+sftp_rename
+sftp_reply_attr
+sftp_reply_data
+sftp_reply_handle
+sftp_reply_name
+sftp_reply_names
+sftp_reply_names_add
+sftp_reply_status
+sftp_rewind
+sftp_rmdir
+sftp_seek
+sftp_seek64
+sftp_send_client_message
+sftp_server_free
+sftp_server_init
+sftp_server_new
+sftp_server_version
+sftp_setstat
+sftp_stat
+sftp_statvfs
+sftp_statvfs_free
+sftp_symlink
+sftp_tell
+sftp_tell64
+sftp_unlink
+sftp_utimes
+sftp_write
+ssh_accept
+ssh_add_channel_callbacks
+ssh_auth_list
+ssh_basename
+ssh_bind_accept
+ssh_bind_accept_fd
+ssh_bind_fd_toaccept
+ssh_bind_free
+ssh_bind_get_fd
+ssh_bind_listen
+ssh_bind_new
+ssh_bind_options_parse_config
+ssh_bind_options_set
+ssh_bind_set_blocking
+ssh_bind_set_callbacks
+ssh_bind_set_fd
+ssh_blocking_flush
+ssh_buffer_add_data
+ssh_buffer_free
+ssh_buffer_get
+ssh_buffer_get_data
+ssh_buffer_get_len
+ssh_buffer_new
+ssh_buffer_reinit
+ssh_channel_accept_forward
+ssh_channel_accept_x11
+ssh_channel_cancel_forward
+ssh_channel_change_pty_size
+ssh_channel_close
+ssh_channel_free
+ssh_channel_get_exit_status
+ssh_channel_get_session
+ssh_channel_is_closed
+ssh_channel_is_eof
+ssh_channel_is_open
+ssh_channel_listen_forward
+ssh_channel_new
+ssh_channel_open_auth_agent
+ssh_channel_open_forward
+ssh_channel_open_forward_port
+ssh_channel_open_forward_unix
+ssh_channel_open_reverse_forward
+ssh_channel_open_session
+ssh_channel_open_x11
+ssh_channel_poll
+ssh_channel_poll_timeout
+ssh_channel_read
+ssh_channel_read_nonblocking
+ssh_channel_read_timeout
+ssh_channel_request_auth_agent
+ssh_channel_request_env
+ssh_channel_request_exec
+ssh_channel_request_pty
+ssh_channel_request_pty_size
+ssh_channel_request_send_break
+ssh_channel_request_send_exit_signal
+ssh_channel_request_send_exit_status
+ssh_channel_request_send_signal
+ssh_channel_request_sftp
+ssh_channel_request_shell
+ssh_channel_request_subsystem
+ssh_channel_request_x11
+ssh_channel_select
+ssh_channel_send_eof
+ssh_channel_set_blocking
+ssh_channel_set_counter
+ssh_channel_window_size
+ssh_channel_write
+ssh_channel_write_stderr
+ssh_clean_pubkey_hash
+ssh_connect
+ssh_connector_free
+ssh_connector_new
+ssh_connector_set_in_channel
+ssh_connector_set_in_fd
+ssh_connector_set_out_channel
+ssh_connector_set_out_fd
+ssh_copyright
+ssh_dirname
+ssh_disconnect
+ssh_dump_knownhost
+ssh_event_add_connector
+ssh_event_add_fd
+ssh_event_add_session
+ssh_event_dopoll
+ssh_event_free
+ssh_event_new
+ssh_event_remove_connector
+ssh_event_remove_fd
+ssh_event_remove_session
+ssh_execute_message_callbacks
+ssh_finalize
+ssh_forward_accept
+ssh_forward_cancel
+ssh_forward_listen
+ssh_free
+ssh_get_cipher_in
+ssh_get_cipher_out
+ssh_get_clientbanner
+ssh_get_disconnect_message
+ssh_get_error
+ssh_get_error_code
+ssh_get_fd
+ssh_get_fingerprint_hash
+ssh_get_hexa
+ssh_get_hmac_in
+ssh_get_hmac_out
+ssh_get_issue_banner
+ssh_get_kex_algo
+ssh_get_log_callback
+ssh_get_log_level
+ssh_get_log_userdata
+ssh_get_openssh_version
+ssh_get_poll_flags
+ssh_get_pubkey
+ssh_get_pubkey_hash
+ssh_get_publickey
+ssh_get_publickey_hash
+ssh_get_random
+ssh_get_server_publickey
+ssh_get_serverbanner
+ssh_get_status
+ssh_get_version
+ssh_getpass
+ssh_gssapi_get_creds
+ssh_gssapi_set_creds
+ssh_handle_key_exchange
+ssh_init
+ssh_is_blocking
+ssh_is_connected
+ssh_is_server_known
+ssh_key_cmp
+ssh_key_dup
+ssh_key_free
+ssh_key_is_private
+ssh_key_is_public
+ssh_key_new
+ssh_key_type
+ssh_key_type_from_name
+ssh_key_type_to_char
+ssh_known_hosts_parse_line
+ssh_knownhosts_entry_free
+ssh_log
+ssh_message_auth_interactive_request
+ssh_message_auth_kbdint_is_response
+ssh_message_auth_password
+ssh_message_auth_pubkey
+ssh_message_auth_publickey
+ssh_message_auth_publickey_state
+ssh_message_auth_reply_pk_ok
+ssh_message_auth_reply_pk_ok_simple
+ssh_message_auth_reply_success
+ssh_message_auth_set_methods
+ssh_message_auth_user
+ssh_message_channel_request_channel
+ssh_message_channel_request_command
+ssh_message_channel_request_env_name
+ssh_message_channel_request_env_value
+ssh_message_channel_request_open_destination
+ssh_message_channel_request_open_destination_port
+ssh_message_channel_request_open_originator
+ssh_message_channel_request_open_originator_port
+ssh_message_channel_request_open_reply_accept
+ssh_message_channel_request_open_reply_accept_channel
+ssh_message_channel_request_pty_height
+ssh_message_channel_request_pty_pxheight
+ssh_message_channel_request_pty_pxwidth
+ssh_message_channel_request_pty_term
+ssh_message_channel_request_pty_width
+ssh_message_channel_request_reply_success
+ssh_message_channel_request_subsystem
+ssh_message_channel_request_x11_auth_cookie
+ssh_message_channel_request_x11_auth_protocol
+ssh_message_channel_request_x11_screen_number
+ssh_message_channel_request_x11_single_connection
+ssh_message_free
+ssh_message_get
+ssh_message_global_request_address
+ssh_message_global_request_port
+ssh_message_global_request_reply_success
+ssh_message_reply_default
+ssh_message_retrieve
+ssh_message_service_reply_success
+ssh_message_service_service
+ssh_message_subtype
+ssh_message_type
+ssh_mkdir
+ssh_new
+ssh_options_copy
+ssh_options_get
+ssh_options_get_port
+ssh_options_getopt
+ssh_options_parse_config
+ssh_options_set
+ssh_pcap_file_close
+ssh_pcap_file_free
+ssh_pcap_file_new
+ssh_pcap_file_open
+ssh_pki_copy_cert_to_privkey
+ssh_pki_export_privkey_base64
+ssh_pki_export_privkey_file
+ssh_pki_export_privkey_to_pubkey
+ssh_pki_export_pubkey_base64
+ssh_pki_export_pubkey_file
+ssh_pki_generate
+ssh_pki_import_cert_base64
+ssh_pki_import_cert_file
+ssh_pki_import_privkey_base64
+ssh_pki_import_privkey_file
+ssh_pki_import_pubkey_base64
+ssh_pki_import_pubkey_file
+ssh_pki_key_ecdsa_name
+ssh_print_hash
+ssh_print_hexa
+ssh_privatekey_type
+ssh_publickey_to_file
+ssh_remove_channel_callbacks
+ssh_scp_accept_request
+ssh_scp_close
+ssh_scp_deny_request
+ssh_scp_free
+ssh_scp_init
+ssh_scp_leave_directory
+ssh_scp_new
+ssh_scp_pull_request
+ssh_scp_push_directory
+ssh_scp_push_file
+ssh_scp_push_file64
+ssh_scp_read
+ssh_scp_request_get_filename
+ssh_scp_request_get_permissions
+ssh_scp_request_get_size
+ssh_scp_request_get_size64
+ssh_scp_request_get_warning
+ssh_scp_write
+ssh_select
+ssh_send_debug
+ssh_send_ignore
+ssh_send_issue_banner
+ssh_send_keepalive
+ssh_server_init_kex
+ssh_service_request
+ssh_session_export_known_hosts_entry
+ssh_session_get_known_hosts_entry
+ssh_session_has_known_hosts_entry
+ssh_session_is_known_server
+ssh_session_set_disconnect_message
+ssh_session_update_known_hosts
+ssh_set_agent_channel
+ssh_set_agent_socket
+ssh_set_auth_methods
+ssh_set_blocking
+ssh_set_callbacks
+ssh_set_channel_callbacks
+ssh_set_counters
+ssh_set_fd_except
+ssh_set_fd_toread
+ssh_set_fd_towrite
+ssh_set_log_callback
+ssh_set_log_level
+ssh_set_log_userdata
+ssh_set_message_callback
+ssh_set_pcap_file
+ssh_set_server_callbacks
+ssh_silent_disconnect
+ssh_string_burn
+ssh_string_copy
+ssh_string_data
+ssh_string_fill
+ssh_string_free
+ssh_string_free_char
+ssh_string_from_char
+ssh_string_get_char
+ssh_string_len
+ssh_string_new
+ssh_string_to_char
+ssh_threads_get_default
+ssh_threads_get_noop
+ssh_threads_get_pthread
+ssh_threads_set_callbacks
+ssh_try_publickey_from_file
+ssh_userauth_agent
+ssh_userauth_agent_pubkey
+ssh_userauth_autopubkey
+ssh_userauth_gssapi
+ssh_userauth_kbdint
+ssh_userauth_kbdint_getanswer
+ssh_userauth_kbdint_getinstruction
+ssh_userauth_kbdint_getname
+ssh_userauth_kbdint_getnanswers
+ssh_userauth_kbdint_getnprompts
+ssh_userauth_kbdint_getprompt
+ssh_userauth_kbdint_setanswer
+ssh_userauth_list
+ssh_userauth_none
+ssh_userauth_offer_pubkey
+ssh_userauth_password
+ssh_userauth_privatekey_file
+ssh_userauth_pubkey
+ssh_userauth_publickey
+ssh_userauth_publickey_auto
+ssh_userauth_publickey_auto_get_current_identity
+ssh_userauth_try_publickey
+ssh_version
+ssh_vlog
+ssh_write_knownhost
+string_burn
+string_copy
+string_data
+string_fill
+string_free
+string_from_char
+string_len
+string_new
+string_to_char

src/CMakeLists.txt

@@ -184,6 +184,8 @@ if (WITH_GCRYPT)
         gcrypt_missing.c
         pki_gcrypt.c
         ecdh_gcrypt.c
+        getrandom_gcrypt.c
+        md_gcrypt.c
         dh_key.c
         pki_ed25519.c
         external/ed25519.c
@@ -207,6 +209,8 @@ elseif (WITH_MBEDTLS)
         mbedcrypto_missing.c
         pki_mbedcrypto.c
         ecdh_mbedcrypto.c
+        getrandom_mbedcrypto.c
+        md_mbedcrypto.c
         dh_key.c
         pki_ed25519.c
         external/ed25519.c
@@ -229,6 +233,8 @@ else (WITH_GCRYPT)
         threads/libcrypto.c
         pki_crypto.c
         ecdh_crypto.c
+        getrandom_crypto.c
+        md_crypto.c
         libcrypto.c
         dh_crypto.c
        )
@@ -300,12 +306,12 @@ if (WITH_GSSAPI AND GSSAPI_FOUND)
 endif (WITH_GSSAPI AND GSSAPI_FOUND)
 
 if (NOT WITH_NACL)
-    if (NOT HAVE_OPENSSL_ED25519)
+    if (NOT HAVE_LIBCRYPTO OR NOT HAVE_OPENSSL_ED25519)
         set(libssh_SRCS
             ${libssh_SRCS}
             external/curve25519_ref.c
            )
-    endif (NOT HAVE_OPENSSL_ED25519)
+    endif()
 endif (NOT WITH_NACL)
 
 # Set the path to the default map file
@@ -344,8 +350,10 @@ endif (WITH_SYMBOL_VERSIONING AND HAVE_LD_VERSION_SCRIPT AND ABIMAP_FOUND)
 add_library(ssh ${libssh_SRCS})
 target_compile_options(ssh
                        PRIVATE
-                           ${DEFAULT_C_COMPILE_FLAGS}
-                           -D_GNU_SOURCE)
+                           ${DEFAULT_C_COMPILE_FLAGS})
+if (CYGWIN)
+    target_compile_definitions(ssh PRIVATE _GNU_SOURCE)
+endif ()
 target_include_directories(ssh
                            PUBLIC
                                $<BUILD_INTERFACE:${libssh_SOURCE_DIR}/include>
@@ -404,8 +412,10 @@ if (BUILD_STATIC_LIB)
   add_library(ssh-static STATIC ${libssh_SRCS})
   target_compile_options(ssh-static
                          PRIVATE
-                            ${DEFAULT_C_COMPILE_FLAGS}
-                            -D_GNU_SOURCE)
+                             ${DEFAULT_C_COMPILE_FLAGS})
+  if (CYGWIN)
+    target_compile_definitions(ssh-static PRIVATE _GNU_SOURCE)
+  endif ()
 
   target_include_directories(ssh-static
                              PUBLIC

src/agent.c

@@ -150,11 +150,21 @@ static void agent_set_channel(struct ssh_agent_struct *agent, ssh_channel channe
   agent->channel = channel;
 }
 
+/**
+ * @addtogroup libssh_auth
+ *
+ * @{
+ */
+
 /** @brief sets the SSH agent channel.
  * The SSH agent channel will be used to authenticate this client using
  * an agent through a channel, from another session. The most likely use
  * is to implement SSH Agent forwarding into a SSH proxy.
+ *
+ * @param session the session
+ *
  * @param[in] channel a SSH channel from another session.
+ *
  * @returns SSH_OK in case of success
  *          SSH_ERROR in case of an error
  */
@@ -189,6 +199,10 @@ int ssh_set_agent_socket(ssh_session session, socket_t fd){
   return SSH_OK;
 }
 
+/**
+ * @}
+ */
+
 void ssh_agent_close(struct ssh_agent_struct *agent) {
   if (agent == NULL) {
     return;

src/auth.c

@@ -47,7 +47,7 @@
 #include "libssh/legacy.h"
 
 /**
- * @defgroup libssh_auth The SSH authentication functions.
+ * @defgroup libssh_auth The SSH authentication functions
  * @ingroup libssh
  *
  * Functions to authenticate with a server.
@@ -1140,6 +1140,7 @@ int ssh_userauth_publickey_auto(ssh_session session,
             state->privkey = NULL;
             state->pubkey = NULL;
 
+#ifdef WITH_PKCS11_URI
             if (ssh_pki_is_uri(privkey_file)) {
                 char *pub_uri_from_priv = NULL;
                 SSH_LOG(SSH_LOG_INFO,
@@ -1152,7 +1153,9 @@ int ssh_userauth_publickey_auto(ssh_session session,
                              pub_uri_from_priv);
                     SAFE_FREE(pub_uri_from_priv);
                 }
-            } else {
+            } else
+#endif /* WITH_PKCS11_URI */
+            {
                 snprintf(pubkey_file, sizeof(pubkey_file), "%s.pub", privkey_file);
             }
 

src/bignum.c

@@ -44,7 +44,7 @@ ssh_string ssh_make_bignum_string(bignum num) {
 
 #ifdef DEBUG_CRYPTO
   SSH_LOG(SSH_LOG_TRACE,
-          "%zu bits, %zu bytes, %zu padding\n",
+          "%zu bits, %zu bytes, %zu padding",
           bits, len, pad);
 #endif /* DEBUG_CRYPTO */
 
@@ -86,7 +86,8 @@ void ssh_print_bignum(const char *name, const_bignum num)
     if (num != NULL) {
         bignum_bn2hex(num, &hex);
     }
-    SSH_LOG(SSH_LOG_DEBUG, "%s value: %s\n", name, (hex == NULL) ? "(null)" : (char *) hex);
+    SSH_LOG(SSH_LOG_DEBUG, "%s value: %s", name,
+            (hex == NULL) ? "(null)" : (char *)hex);
 #ifdef HAVE_LIBGCRYPT
     SAFE_FREE(hex);
 #elif defined HAVE_LIBCRYPTO

src/bind.c

@@ -282,7 +282,7 @@ int ssh_bind_listen(ssh_bind sshbind) {
       }
 
       if (listen(fd, 10) < 0) {
-        char err_msg[] = {0};
+        char err_msg[SSH_ERRNO_MSG_MAX] = {0};
           ssh_set_error(sshbind, SSH_FATAL,
                   "Listening to socket %d: %s",
                   fd, ssh_strerror(errno, err_msg, SSH_ERRNO_MSG_MAX));
@@ -424,7 +424,9 @@ void ssh_bind_free(ssh_bind sshbind){
   SAFE_FREE(sshbind);
 }
 
-int ssh_bind_accept_fd(ssh_bind sshbind, ssh_session session, socket_t fd){
+int ssh_bind_accept_fd(ssh_bind sshbind, ssh_session session, socket_t fd)
+{
+    ssh_poll_handle handle = NULL;
     int i, rc;
 
     if (sshbind == NULL) {
@@ -516,7 +518,12 @@ int ssh_bind_accept_fd(ssh_bind sshbind, ssh_session session, socket_t fd){
       return SSH_ERROR;
     }
     ssh_socket_set_fd(session->socket, fd);
-    ssh_socket_get_poll_handle(session->socket);
+    handle = ssh_socket_get_poll_handle(session->socket);
+    if (handle == NULL) {
+        ssh_set_error_oom(sshbind);
+        return SSH_ERROR;
+    }
+    ssh_socket_set_connected(session->socket, handle);
 
     /* We must try to import any keys that could be imported in case
      * we are not using ssh_bind_listen (which is the other place

src/buffer.c

@@ -26,6 +26,7 @@
 #include <limits.h>
 #include <stdarg.h>
 #include <stdbool.h>
+#include <stdio.h>
 
 #ifndef _WIN32
 #include <netinet/in.h>
@@ -56,7 +57,7 @@ struct ssh_buffer_struct {
 #define BUFFER_SIZE_MAX 0x10000000
 
 /**
- * @defgroup libssh_buffer The SSH buffer functions.
+ * @defgroup libssh_buffer The SSH buffer functions
  * @ingroup libssh
  *
  * Functions to handle SSH buffers.
@@ -747,7 +748,8 @@ uint32_t ssh_buffer_get_u64(struct ssh_buffer_struct *buffer, uint64_t *data){
  */
 int ssh_buffer_validate_length(struct ssh_buffer_struct *buffer, size_t len)
 {
-    if (buffer->pos + len < len || buffer->pos + len > buffer->used) {
+    if (buffer == NULL || buffer->pos + len < len ||
+        buffer->pos + len > buffer->used) {
         return SSH_ERROR;
     }
 

src/channels.c

@@ -2499,7 +2499,8 @@ ssh_channel ssh_forward_accept(ssh_session session, int timeout_ms)
 
 /**
  * @brief Accept an incoming TCP/IP forwarding channel and get some information
- * about incomming connection
+ * about incoming connection
+ *
  * @param[in]  session    The ssh session to use.
  *
  * @param[in]  timeout_ms A timeout in milliseconds.
@@ -2515,7 +2516,8 @@ ssh_channel ssh_channel_accept_forward(ssh_session session, int timeout_ms, int*
 
 /**
  * @brief Accept an incoming TCP/IP forwarding channel and get information
- * about incomming connection
+ * about incoming connection
+ *
  * @param[in]  session    The ssh session to use.
  *
  * @param[in]  timeout_ms A timeout in milliseconds.
@@ -3809,4 +3811,4 @@ error:
 
 #endif
 
-/* @} */
+/** @} */

src/client.c

@@ -246,10 +246,13 @@ end:
  * @warning this function returning is no proof that DH handshake is
  * completed
  */
-static int dh_handshake(ssh_session session)
+int dh_handshake(ssh_session session)
 {
   int rc = SSH_AGAIN;
 
+  SSH_LOG(SSH_LOG_TRACE, "dh_handshake_state = %d, kex_type = %d",
+          session->dh_handshake_state,  session->next_crypto->kex_type);
+
   switch (session->dh_handshake_state) {
     case DH_STATE_INIT:
       switch(session->next_crypto->kex_type){
@@ -314,8 +317,13 @@ static int ssh_service_request_termination(void *s)
 }
 
 /**
- * @internal
+ * @addtogroup libssh_session
  *
+ * @{
+ */
+
+/**
+ * @internal
  * @brief Request a service from the SSH server.
  *
  * Service requests are for example: ssh-userauth, ssh-connection, etc.
@@ -376,12 +384,6 @@ pending:
   return rc;
 }
 
-/**
- * @addtogroup libssh_session
- *
- * @{
- */
-
 /**
  * @internal
  *
@@ -392,95 +394,101 @@ static void ssh_client_connection_callback(ssh_session session)
 {
     int rc;
 
-    switch(session->session_state) {
-        case SSH_SESSION_STATE_NONE:
-        case SSH_SESSION_STATE_CONNECTING:
-            break;
-        case SSH_SESSION_STATE_SOCKET_CONNECTED:
-            ssh_set_fd_towrite(session);
-            ssh_send_banner(session, 0);
+    SSH_LOG(SSH_LOG_DEBUG, "session_state=%d", session->session_state);
 
-            break;
-        case SSH_SESSION_STATE_BANNER_RECEIVED:
-            if (session->serverbanner == NULL) {
-                goto error;
-            }
-            set_status(session, 0.4f);
-            SSH_LOG(SSH_LOG_PROTOCOL,
-                    "SSH server banner: %s", session->serverbanner);
+    switch (session->session_state) {
+    case SSH_SESSION_STATE_NONE:
+    case SSH_SESSION_STATE_CONNECTING:
+        break;
+    case SSH_SESSION_STATE_SOCKET_CONNECTED:
+        ssh_set_fd_towrite(session);
+        ssh_send_banner(session, 0);
 
-            /* Here we analyze the different protocols the server allows. */
-            rc = ssh_analyze_banner(session, 0);
-            if (rc < 0) {
-                ssh_set_error(session, SSH_FATAL,
-                        "No version of SSH protocol usable (banner: %s)",
-                        session->serverbanner);
-                goto error;
-            }
+        break;
+    case SSH_SESSION_STATE_BANNER_RECEIVED:
+        if (session->serverbanner == NULL) {
+            goto error;
+        }
+        set_status(session, 0.4f);
+        SSH_LOG(SSH_LOG_PROTOCOL,
+                "SSH server banner: %s", session->serverbanner);
 
-            ssh_packet_register_socket_callback(session, session->socket);
+        /* Here we analyze the different protocols the server allows. */
+        rc = ssh_analyze_banner(session, 0);
+        if (rc < 0) {
+            ssh_set_error(session, SSH_FATAL,
+                          "No version of SSH protocol usable (banner: %s)",
+                          session->serverbanner);
+            goto error;
+        }
 
-            ssh_packet_set_default_callbacks(session);
-            session->session_state = SSH_SESSION_STATE_INITIAL_KEX;
+        ssh_packet_register_socket_callback(session, session->socket);
+
+        ssh_packet_set_default_callbacks(session);
+        session->session_state = SSH_SESSION_STATE_INITIAL_KEX;
+        rc = ssh_set_client_kex(session);
+        if (rc != SSH_OK) {
+            goto error;
+        }
+        rc = ssh_send_kex(session);
+        if (rc < 0) {
+            goto error;
+        }
+        set_status(session, 0.5f);
+
+        break;
+    case SSH_SESSION_STATE_INITIAL_KEX:
+        /* TODO: This state should disappear in favor of get_key handle */
+        break;
+    case SSH_SESSION_STATE_KEXINIT_RECEIVED:
+        set_status(session, 0.6f);
+        ssh_list_kex(&session->next_crypto->server_kex);
+        if ((session->flags & SSH_SESSION_FLAG_KEXINIT_SENT) == 0) {
+            /* in rekeying state if next_crypto client_kex might be empty */
             rc = ssh_set_client_kex(session);
             if (rc != SSH_OK) {
                 goto error;
             }
-            rc = ssh_send_kex(session, 0);
+            rc = ssh_send_kex(session);
             if (rc < 0) {
                 goto error;
             }
-            set_status(session, 0.5f);
-
-            break;
-        case SSH_SESSION_STATE_INITIAL_KEX:
-            /* TODO: This state should disappear in favor of get_key handle */
-            break;
-        case SSH_SESSION_STATE_KEXINIT_RECEIVED:
-            set_status(session,0.6f);
-            ssh_list_kex(&session->next_crypto->server_kex);
-            if (session->next_crypto->client_kex.methods[0] == NULL) {
-                /* in rekeying state if next_crypto client_kex is empty */
-                rc = ssh_set_client_kex(session);
-                if (rc != SSH_OK) {
-                    goto error;
-                }
-                rc = ssh_send_kex(session, 0);
-                if (rc < 0) {
-                    goto error;
-                }
-            }
-            if (ssh_kex_select_methods(session) == SSH_ERROR)
-                goto error;
-            set_status(session,0.8f);
-            session->session_state=SSH_SESSION_STATE_DH;
-            if (dh_handshake(session) == SSH_ERROR) {
-                goto error;
-            }
-            FALL_THROUGH;
-        case SSH_SESSION_STATE_DH:
-            if(session->dh_handshake_state==DH_STATE_FINISHED){
-                set_status(session,1.0f);
-                session->connected = 1;
-                if (session->flags & SSH_SESSION_FLAG_AUTHENTICATED)
-                    session->session_state = SSH_SESSION_STATE_AUTHENTICATED;
-                else
-                    session->session_state=SSH_SESSION_STATE_AUTHENTICATING;
-            }
-            break;
-        case SSH_SESSION_STATE_AUTHENTICATING:
-            break;
-        case SSH_SESSION_STATE_ERROR:
+        }
+        if (ssh_kex_select_methods(session) == SSH_ERROR)
             goto error;
-        default:
-            ssh_set_error(session,SSH_FATAL,"Invalid state %d",session->session_state);
+        set_status(session, 0.8f);
+        session->session_state = SSH_SESSION_STATE_DH;
+
+        /* If the init packet was already sent in previous step, this will be no
+         * operation */
+        if (dh_handshake(session) == SSH_ERROR) {
+            goto error;
+        }
+        FALL_THROUGH;
+    case SSH_SESSION_STATE_DH:
+        if (session->dh_handshake_state == DH_STATE_FINISHED) {
+            set_status(session, 1.0f);
+            session->connected = 1;
+            if (session->flags & SSH_SESSION_FLAG_AUTHENTICATED)
+                session->session_state = SSH_SESSION_STATE_AUTHENTICATED;
+            else
+                session->session_state=SSH_SESSION_STATE_AUTHENTICATING;
+        }
+        break;
+    case SSH_SESSION_STATE_AUTHENTICATING:
+        break;
+    case SSH_SESSION_STATE_ERROR:
+        goto error;
+    default:
+        ssh_set_error(session, SSH_FATAL, "Invalid state %d",
+                      session->session_state);
     }
 
     return;
 error:
     ssh_socket_close(session->socket);
     session->alive = 0;
-    session->session_state=SSH_SESSION_STATE_ERROR;
+    session->session_state = SSH_SESSION_STATE_ERROR;
 
 }
 
@@ -731,8 +739,8 @@ ssh_session_set_disconnect_message(ssh_session session, const char *message)
  *
  * The session can then be reused to open a new session.
  *
- * @note Note that this function wont close the socket if it was set with
- * @ssh_options_set and SSH_OPTIONS_FD. You're responsible for closing the
+ * @note Note that this function won't close the socket if it was set with
+ * ssh_options_set and SSH_OPTIONS_FD. You're responsible for closing the
  * socket. This is new behavior in libssh 0.10.
  *
  * @param[in]  session  The SSH session to use.
@@ -834,9 +842,16 @@ error:
     }
 }
 
+/**
+ * @brief Copyright information
+ *
+ * Returns copyright information
+ *
+ * @returns SSH_STRING copyright
+ */
 const char *ssh_copyright(void)
 {
-    return SSH_STRINGIFY(LIBSSH_VERSION) " (c) 2003-2022 "
+    return SSH_STRINGIFY(LIBSSH_VERSION) " (c) 2003-2023 "
            "Aris Adamantiadis, Andreas Schneider "
            "and libssh contributors. "
            "Distributed under the LGPL, please refer to COPYING "

src/config.c

@@ -356,7 +356,7 @@ ssh_exec_shell(char *cmd)
         if (rc == -1) {
             SSH_LOG(SSH_LOG_WARN, "dup2: %s",
                     ssh_strerror(errno, err_msg, SSH_ERRNO_MSG_MAX));
-	    exit(1);
+            exit(1);
         }
         if (devnull > STDERR_FILENO) {
             close(devnull);
@@ -395,7 +395,7 @@ ssh_exec_shell(char *cmd)
         }
     }
     if (!WIFEXITED(status)) {
-        SSH_LOG(SSH_LOG_WARN, "Command %s exitted abnormally", cmd);
+        SSH_LOG(SSH_LOG_WARN, "Command %s exited abnormally", cmd);
         return -1;
     }
     SSH_LOG(SSH_LOG_TRACE, "Command '%s' returned %d", cmd, WEXITSTATUS(status));
@@ -491,7 +491,7 @@ ssh_config_parse_proxy_jump(ssh_session session, const char *s, bool do_parsing)
     if (hostname != NULL && do_parsing) {
         char com[512] = {0};
 
-        rv = snprintf(com, sizeof(com), "ssh%s%s%s%s%s%s -W [%%h]:%%p %s",
+        rv = snprintf(com, sizeof(com), "ssh%s%s%s%s%s%s -W '[%%h]:%%p' %s",
                       username ? " -l " : "",
                       username ? username : "",
                       port ? " -p " : "",
@@ -548,6 +548,11 @@ ssh_config_make_absolute(ssh_session session,
         return out;
     }
 
+    /* paths starting with tilde are already absolute */
+    if (path[0] == '~') {
+        return ssh_path_expand_tilde(path);
+    }
+
     /* Parsing user config relative to home directory (generally ~/.ssh) */
     if (session->opts.sshdir == NULL) {
         ssh_set_error_invalid(session);
@@ -1001,7 +1006,7 @@ ssh_config_parse_line(ssh_session session,
         if (p == NULL) {
             break;
         } else if (strcmp(p, "default") == 0) {
-            /* Default rekey limits enforced automaticaly */
+            /* Default rekey limits enforced automatically */
             ll = 0;
         } else {
             char *endp = NULL;

src/config_parser.c

@@ -32,7 +32,7 @@
 #include "libssh/priv.h"
 
 /* Returns the original string after skipping the leading whitespace
- * and optional quotes.
+ * until finding LF.
  * This is useful in case we need to get the rest of the line (for example
  * external command).
  */
@@ -47,16 +47,7 @@ char *ssh_config_get_cmd(char **str)
             break;
         }
     }
-
-    if (*c == '\"') {
-        for (r = ++c; *c; c++) {
-            if (*c == '\"') {
-                *c = '\0';
-                goto out;
-            }
-        }
-    }
-
+    
     for (r = c; *c; c++) {
         if (*c == '\n') {
             *c = '\0';

src/connector.c

@@ -326,35 +326,40 @@ static void ssh_connector_fd_in_cb(ssh_connector connector)
 /** @internal
  * @brief Callback called when a poll event is received on an output fd
  */
-static void ssh_connector_fd_out_cb(ssh_connector connector){
+static void
+ssh_connector_fd_out_cb(ssh_connector connector)
+{
     unsigned char buffer[CHUNKSIZE];
     ssize_t r;
     ssize_t w;
     ssize_t total = 0;
-    SSH_LOG(SSH_LOG_TRACE, "connector POLLOUT event for fd %d", connector->out_fd);
+    SSH_LOG(SSH_LOG_TRACE, "connector POLLOUT event for fd %d",
+            connector->out_fd);
 
-    if(connector->in_available){
-        if (connector->in_channel != NULL){
-            r = ssh_channel_read_nonblocking(connector->in_channel, buffer, CHUNKSIZE, 0);
-            if(r == SSH_ERROR){
+    if (connector->in_available) {
+        if (connector->in_channel != NULL) {
+            r = ssh_channel_read_nonblocking(connector->in_channel, buffer,
+                                             CHUNKSIZE, 0);
+            if (r == SSH_ERROR) {
                 ssh_connector_except_channel(connector, connector->in_channel);
                 return;
-            } else if(r == 0 && ssh_channel_is_eof(connector->in_channel)){
+            } else if (r == 0 && ssh_channel_is_eof(connector->in_channel)) {
                 close(connector->out_fd);
                 connector->out_fd = SSH_INVALID_SOCKET;
                 return;
-            } else if(r>0) {
+            } else if (r > 0) {
                 /* loop around write in case the write blocks even for CHUNKSIZE bytes */
-                while (total != r){
-                        w = ssh_connector_fd_write(connector, buffer + total, r - total);
-                    if (w < 0){
+                while (total != r) {
+                    w = ssh_connector_fd_write(connector, buffer + total,
+                                               r - total);
+                    if (w < 0) {
                         ssh_connector_except(connector, connector->out_fd);
                         return;
                     }
                     total += w;
                 }
             }
-        } else if (connector->in_fd != SSH_INVALID_SOCKET){
+        } else if (connector->in_fd != SSH_INVALID_SOCKET) {
             /* fallback on the socket input callback */
             connector->out_wontblock = 1;
             ssh_connector_fd_in_cb(connector);

src/curve25519.c

@@ -39,7 +39,7 @@
 #include "libssh/pki.h"
 #include "libssh/bignum.h"
 
-#ifdef HAVE_OPENSSL_X25519
+#if defined(HAVE_LIBCRYPTO) && defined(HAVE_OPENSSL_X25519)
 #include <openssl/err.h>
 #endif
 
@@ -59,7 +59,7 @@ static struct ssh_packet_callbacks_struct ssh_curve25519_client_callbacks = {
 static int ssh_curve25519_init(ssh_session session)
 {
     int rc;
-#ifdef HAVE_OPENSSL_X25519
+#if defined(HAVE_LIBCRYPTO) && defined(HAVE_OPENSSL_X25519)
     EVP_PKEY_CTX *pctx = NULL;
     EVP_PKEY *pkey = NULL;
     size_t pubkey_len = CURVE25519_PUBKEY_SIZE;
@@ -136,7 +136,7 @@ static int ssh_curve25519_init(ssh_session session)
         crypto_scalarmult_base(session->next_crypto->curve25519_client_pubkey,
                                session->next_crypto->curve25519_privkey);
     }
-#endif /* HAVE_OPENSSL_X25519 */
+#endif /* defined(HAVE_LIBCRYPTO) && defined(HAVE_OPENSSL_X25519) */
 
     return SSH_OK;
 }
@@ -172,11 +172,16 @@ int ssh_client_curve25519_init(ssh_session session)
     return rc;
 }
 
+void ssh_client_curve25519_remove_callbacks(ssh_session session)
+{
+    ssh_packet_remove_callbacks(session, &ssh_curve25519_client_callbacks);
+}
+
 static int ssh_curve25519_build_k(ssh_session session)
 {
     ssh_curve25519_pubkey k;
 
-#ifdef HAVE_OPENSSL_X25519
+#if defined(HAVE_LIBCRYPTO) && defined(HAVE_OPENSSL_X25519)
     EVP_PKEY_CTX *pctx = NULL;
     EVP_PKEY *pkey = NULL, *pubkey = NULL;
     size_t shared_key_len = sizeof(k);
@@ -255,7 +260,7 @@ out:
         crypto_scalarmult(k, session->next_crypto->curve25519_privkey,
                           session->next_crypto->curve25519_server_pubkey);
     }
-#endif /* HAVE_OPENSSL_X25519 */
+#endif /* defined(HAVE_LIBCRYPTO) && defined(HAVE_OPENSSL_X25519) */
 
     bignum_bin2bn(k, CURVE25519_PUBKEY_SIZE, &session->next_crypto->shared_secret);
     if (session->next_crypto->shared_secret == NULL) {
@@ -285,7 +290,7 @@ static SSH_PACKET_CALLBACK(ssh_packet_client_curve25519_reply){
   (void)type;
   (void)user;
 
-  ssh_packet_remove_callbacks(session, &ssh_curve25519_client_callbacks);
+  ssh_client_curve25519_remove_callbacks(session);
 
   pubkey_blob = ssh_buffer_get_ssh_string(packet);
   if (pubkey_blob == NULL) {
@@ -408,8 +413,8 @@ static SSH_PACKET_CALLBACK(ssh_packet_server_curve25519_init){
     memcpy(session->next_crypto->curve25519_client_pubkey,
            ssh_string_data(q_c_string), CURVE25519_PUBKEY_SIZE);
     SSH_STRING_FREE(q_c_string);
-    /* Build server's keypair */
 
+    /* Build server's key pair */
     rc = ssh_curve25519_init(session);
     if (rc != SSH_OK) {
         ssh_set_error(session, SSH_FATAL, "Failed to generate curve25519 keys");

src/dh-gex.c

@@ -37,7 +37,7 @@
 #include "libssh/buffer.h"
 #include "libssh/session.h"
 
-/* Minimum, recommanded and maximum size of DH group */
+/* Minimum, recommended and maximum size of DH group */
 #define DH_PMIN 2048
 #define DH_PREQ 2048
 #define DH_PMAX 8192
@@ -248,6 +248,11 @@ error:
     return SSH_PACKET_USED;
 }
 
+void ssh_client_dhgex_remove_callbacks(ssh_session session)
+{
+    ssh_packet_remove_callbacks(session, &ssh_dhgex_client_callbacks);
+}
+
 static SSH_PACKET_CALLBACK(ssh_packet_client_dhgex_reply)
 {
     struct ssh_crypto_struct *crypto=session->next_crypto;
@@ -258,7 +263,7 @@ static SSH_PACKET_CALLBACK(ssh_packet_client_dhgex_reply)
     (void)user;
     SSH_LOG(SSH_LOG_PROTOCOL, "SSH_MSG_KEX_DH_GEX_REPLY received");
 
-    ssh_packet_remove_callbacks(session, &ssh_dhgex_client_callbacks);
+    ssh_client_dhgex_remove_callbacks(session);
     rc = ssh_buffer_unpack(packet,
                            "SBS",
                            &pubkey_blob, &server_pubkey,

src/dh.c

@@ -25,6 +25,8 @@
 
 #include "config.h"
 
+#include <stdio.h>
+
 #include "libssh/priv.h"
 #include "libssh/crypto.h"
 #include "libssh/buffer.h"
@@ -352,6 +354,11 @@ error:
   return SSH_ERROR;
 }
 
+void ssh_client_dh_remove_callbacks(ssh_session session)
+{
+    ssh_packet_remove_callbacks(session, &ssh_dh_client_callbacks);
+}
+
 SSH_PACKET_CALLBACK(ssh_packet_client_dh_reply){
   struct ssh_crypto_struct *crypto=session->next_crypto;
   ssh_string pubkey_blob = NULL;
@@ -361,7 +368,7 @@ SSH_PACKET_CALLBACK(ssh_packet_client_dh_reply){
   (void)type;
   (void)user;
 
-  ssh_packet_remove_callbacks(session, &ssh_dh_client_callbacks);
+  ssh_client_dh_remove_callbacks(session);
 
   rc = ssh_buffer_unpack(packet, "SBS", &pubkey_blob, &server_pubkey,
           &crypto->dh_server_signature);

src/dh_crypto.c

@@ -154,12 +154,9 @@ int ssh_dh_keypair_get_keys(struct dh_ctx *ctx, int peer,
 #endif /* OPENSSL_VERSION_NUMBER */
 
 int ssh_dh_keypair_set_keys(struct dh_ctx *ctx, int peer,
-                            const bignum priv, const bignum pub)
+                            bignum priv, bignum pub)
 {
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
-    bignum priv_key = NULL;
-    bignum pub_key = NULL;
-#else
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
     int rc;
     OSSL_PARAM *params = NULL, *out_params = NULL, *merged_params = NULL;
     OSSL_PARAM_BLD *param_bld = NULL;
@@ -172,7 +169,11 @@ int ssh_dh_keypair_set_keys(struct dh_ctx *ctx, int peer,
         return SSH_ERROR;
     }
 
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
+    (void)DH_set0_key(ctx->keypair[peer], pub, priv);
+
+    return SSH_OK;
+#else
     rc = EVP_PKEY_todata(ctx->keypair[peer], EVP_PKEY_KEYPAIR, &out_params);
     if (rc != 1) {
         return SSH_ERROR;
@@ -195,35 +196,22 @@ int ssh_dh_keypair_set_keys(struct dh_ctx *ctx, int peer,
         rc = SSH_ERROR;
         goto out;
     }
-#endif /* OPENSSL_VERSION_NUMBER */
 
     if (priv) {
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
-        priv_key = priv;
-#else
         rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_PRIV_KEY, priv);
         if (rc != 1) {
             rc = SSH_ERROR;
             goto out;
         }
-#endif /* OPENSSL_VERSION_NUMBER */
     }
     if (pub) {
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
-        pub_key = pub;
-#else
         rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_PUB_KEY, pub);
         if (rc != 1) {
             rc = SSH_ERROR;
             goto out;
         }
-#endif /* OPENSSL_VERSION_NUMBER */
     }
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
-    (void)DH_set0_key(ctx->keypair[peer], pub_key, priv_key);
 
-    return SSH_OK;
-#else
     params = OSSL_PARAM_BLD_to_param(param_bld);
     if (params == NULL) {
         rc = SSH_ERROR;
@@ -248,6 +236,8 @@ int ssh_dh_keypair_set_keys(struct dh_ctx *ctx, int peer,
 
     rc = SSH_OK;
 out:
+    bignum_safe_free(priv);
+    bignum_safe_free(pub);
     EVP_PKEY_CTX_free(evp_ctx);
     OSSL_PARAM_free(out_params);
     OSSL_PARAM_free(params);
@@ -341,8 +331,16 @@ int ssh_dh_set_parameters(struct dh_ctx *ctx,
             goto done;
         }
 
-        OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_P, modulus);
-        OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_G, generator);
+        rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_P, modulus);
+        if (rc != 1) {
+            rc = SSH_ERROR;
+            goto done;
+        }
+        rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_G, generator);
+        if (rc != 1) {
+            rc = SSH_ERROR;
+            goto done;
+        }
         params = OSSL_PARAM_BLD_to_param(param_bld);
         if (params == NULL) {
             OSSL_PARAM_BLD_free(param_bld);
@@ -458,7 +456,8 @@ void ssh_dh_cleanup(struct ssh_crypto_struct *crypto)
 /** @internal
  * @brief generates a secret DH parameter of at least DH_SECURITY_BITS
  *        security as well as the corresponding public key.
- * @param[out] parms a dh_ctx that will hold the new keys.
+ *
+ * @param[out] params a dh_ctx that will hold the new keys.
  * @param peer Select either client or server key storage. Valid values are:
  *        DH_CLIENT_KEYPAIR or DH_SERVER_KEYPAIR
  *

src/dh_key.c

@@ -289,8 +289,10 @@ void ssh_dh_cleanup(struct ssh_crypto_struct *crypto)
 /** @internal
  * @brief generates a secret DH parameter of at least DH_SECURITY_BITS
  *        security as well as the corresponding public key.
- * @param[out] parms a dh_kex paramters structure with preallocated bignum
+ *
+ * @param[out] params a dh_kex parameters structure with preallocated bignum
  *             where to store the parameters
+ *
  * @return SSH_OK on success, SSH_ERROR on error
  */
 int ssh_dh_keypair_gen_keys(struct dh_ctx *dh_ctx, int peer)

src/ecdh.c

@@ -43,6 +43,11 @@ struct ssh_packet_callbacks_struct ssh_ecdh_client_callbacks = {
     .user = NULL
 };
 
+void ssh_client_ecdh_remove_callbacks(ssh_session session)
+{
+    ssh_packet_remove_callbacks(session, &ssh_ecdh_client_callbacks);
+}
+
 /** @internal
  * @brief parses a SSH_MSG_KEX_ECDH_REPLY packet and sends back
  * a SSH_MSG_NEWKEYS
@@ -55,7 +60,7 @@ SSH_PACKET_CALLBACK(ssh_packet_client_ecdh_reply){
   (void)type;
   (void)user;
 
-  ssh_packet_remove_callbacks(session, &ssh_ecdh_client_callbacks);
+  ssh_client_ecdh_remove_callbacks(session);
   pubkey_blob = ssh_buffer_get_ssh_string(packet);
   if (pubkey_blob == NULL) {
     ssh_set_error(session,SSH_FATAL, "No public key in packet");

src/ecdh_gcrypt.c

@@ -295,7 +295,7 @@ SSH_PACKET_CALLBACK(ssh_packet_server_ecdh_init){
     }
     session->next_crypto->ecdh_client_pubkey = q_c_string;
 
-    /* Build server's keypair */
+    /* Build server's key pair */
     err = gcry_sexp_build(&param, NULL, "(genkey(ecdh(curve %s) (flags transient-key)))",
                           curve);
     if (err) {

src/error.c

@@ -29,7 +29,7 @@
 #include "libssh/session.h"
 
 /**
- * @defgroup libssh_error The SSH error functions.
+ * @defgroup libssh_error The SSH error functions
  * @ingroup libssh
  *
  * Functions for error handling.

src/external/bcrypt_pbkdf.c

@@ -42,7 +42,7 @@
  * function with the following modifications:
  * 1. The input password and salt are preprocessed with SHA512.
  * 2. The output length is expanded to 256 bits.
- * 3. Subsequently the magic string to be encrypted is lengthened and modifed
+ * 3. Subsequently the magic string to be encrypted is lengthened and modified
  *    to "OxychromaticBlowfishSwatDynamite"
  * 4. The hash function is defined to perform 64 rounds of initial state
  *    expansion. (More rounds are performed by iterating the hash.)

src/getrandom_crypto.c

@@ -0,0 +1,64 @@
+/*
+ * This file is part of the SSH Library
+ *
+ * Copyright (c) 2009 by Aris Adamantiadis
+ *
+ * The SSH Library is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation; either version 2.1 of the License, or (at your
+ * option) any later version.
+ *
+ * The SSH Library is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Lesser General Public
+ * License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with the SSH Library; see the file COPYING.  If not, write to
+ * the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
+ * MA 02111-1307, USA.
+ */
+
+#include "config.h"
+
+#include "libssh/crypto.h"
+#include <openssl/rand.h>
+
+/**
+ * @addtogroup libssh_misc
+ *
+ * @{
+ */
+
+/**
+ * @brief Get random bytes
+ *
+ * Make sure to always check the return code of this function!
+ *
+ * @param[in]  where    The buffer to fill with random bytes
+ *
+ * @param[in]  len      The size of the buffer to fill.
+ *
+ * @param[in]  strong   Use a strong or private RNG source.
+ *
+ * @return 1 on success, 0 on error.
+ */
+int
+ssh_get_random(void *where, int len, int strong)
+{
+#ifdef HAVE_OPENSSL_RAND_PRIV_BYTES
+    if (strong) {
+        /* Returns -1 when not supported, 0 on error, 1 on success */
+        return !!RAND_priv_bytes(where, len);
+    }
+#else
+    (void)strong;
+#endif /* HAVE_RAND_PRIV_BYTES */
+
+    /* Returns -1 when not supported, 0 on error, 1 on success */
+    return !!RAND_bytes(where, len);
+}
+
+/**
+ * @}
+ */

src/getrandom_gcrypt.c

@@ -0,0 +1,38 @@
+/*
+ * This file is part of the SSH Library
+ *
+ * Copyright (c) 2009 by Aris Adamantiadis
+ * Copyright (C) 2016 g10 Code GmbH
+ *
+ * The SSH Library is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation; either version 2.1 of the License, or (at your
+ * option) any later version.
+ *
+ * The SSH Library is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Lesser General Public
+ * License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with the SSH Library; see the file COPYING.  If not, write to
+ * the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
+ * MA 02111-1307, USA.
+ */
+
+#include "config.h"
+
+#include "libssh/crypto.h"
+#include <gcrypt.h>
+
+int
+ssh_get_random(void *where, int len, int strong)
+{
+    /* variable not used in gcrypt */
+    (void)strong;
+
+    /* not using GCRY_VERY_STRONG_RANDOM which is a bit overkill */
+    gcry_randomize(where, len, GCRY_STRONG_RANDOM);
+
+    return 1;
+}